MAC address restriction with EAP-TLS

tnt at tnt at
Fri Jan 23 21:36:48 CET 2009

>We are currently using EAP-TLS authentication with FreeRADIUS at the place
>where I work right now.  Management would like to be able to restrict the use
>of a given certificate for this authentication to specific MAC addresses.  In
>other words, for each certificate, the desire is to tie that certificate to
>one or a couple MAC addresses, and to say that that certificate may only be
>used if it is coming from those specific MAC addresses.  If the certificate is
>used from a different MAC address, then authentication should fail.
>I have tried to look for info on this on the web to no avail.  I also
>understand that EAP-TLS authentication generally needs to be left out of the
>users file.  But the only way that I can think of to restrict MAC addresses
>would be to place some kind of line involving a Calling-Station-ID in the users
>file.  So I am at a loss.

If you put something like:

username   Calling-Station-Id != whatever, Auth-Type := Reject

user will not be able to connect.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list