radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]

Riccardo Veraldi Riccardo.Veraldi at cnaf.infn.it
Sat May 24 21:02:38 CEST 2008


Hello,
the problem is this.
Not all the people having a certificate should authenticate on my WiFi 
infrastructure.
These certificates are for general purpose, so also for EAP-TLS,
but some user in my case should not be authenticated.
To select which are the users to be authenticated and which are not,
I wanted to use LDAP properties. If a user is in the LDAP directory
it should pass, if it is not, it should be refused, but at the end, I am 
unable to do it.

So my question now is. Can I use the OU field to select if the user is 
valid or not ?
How can I tell freeradius to reject users which has X509 certificate 
with a OU different
from a certain value ?

thanks

Rick

Alan DeKok wrote:
> Riccardo Veraldi wrote:
>   
>> but still authentication is succesful using EAP-TLS even if user is not
>> in LDAP Directory.
>>
>> any hints ?
>>     
>
>   That's how EAP-TLS works.  If you issued them a certificate, it means
> that they are authenticated.
>
>   If you don't want to authenticate them, I'm curious why you issued
> them a certificate.
>
>   But if you still want to reject them... you can.  Just put them into
> an LDAP group, and reject everyone in that LDAP group.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   




More information about the Freeradius-Users mailing list