LDAP authentication allowed if User Object does not exist.

Alan DeKok aland at deployingradius.com
Fri Feb 23 09:38:36 CET 2007

Eric Belcher wrote:
> Each student is issued with a certificate that is used to authenticate
> him to the radius server. The certificate name is his MAC address. A
> corresponding NDS account exists for this MAC address.

  I presume that's with EAP-TLS?

> However, I have found a flaw I can't seem to find an answer for. I'm
> hoping someone can help.
> If the NDS account does not exist, as long as the SSL certificate is not
> revoked and is in the Freeradius database, the student will gain access.

  That's how EAP-TLS works.  The certificate is valid, not revoked, so
the user *may* be allowed in.

> The radius server, does a lookup, can't find the account and just
> continues on. I need the radius server to reject access is an missing
> attribute causing a rejection if the account can't be found.


  If the ldap module returns "notfound", you can reject the user.

  Alan DeKok.
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Users mailing list