Help on TLS+Active Directory

gera gera at gera.me
Thu Dec 3 00:14:46 CET 2009


>> BUT, we noted an interesting behaviour. If the client specify Windows to
>> use
>> another username to login, although freeradius complaints that the user
>> doesn't exist on ldap, it seems it still accepts this user, as long as
>> the
>> certificate is fine. So, in this case, if the user isn't allowed to
>> login
>> because of simultaneous use, he still can change the username which he
>> uses
>> specifying another one (whichever, even if it doesn't exist) and voilá!
>> He
>> can
>> now log in.
>>
>> I'm sure I'm missing something, but I'm not sure what.
>>
>> Any clue?
>
> Read doc/rlm_ldap, bit about access attribute.
>
> Ivan Kalik

Thanks Ivan.

My problem is that it seems that even if the user is not allowed to login
according to ldap (account doesn't exist or is disabled), access is
granted as long as the certificate is valid. Alan Dekok already said that
this is how EAP-TLS works, but I'm not sure if it's normal to have
freeradius ignoring what rlm_ldap say about the account. Shouldn't be
something like "grant access ONLY if all conditions (valid certificates,
valid ldap account) apply"?




More information about the Freeradius-Users mailing list