MAC address restriction with EAP-TLS
tnt at kalik.net
tnt at kalik.net
Mon Jan 26 11:37:07 CET 2009
>> >We are currently using EAP-TLS authentication with FreeRADIUS at the place
>> >where I work right now. Management would like to be able to restrict the use
>> >of a given certificate for this authentication to specific MAC addresses. In
>> >other words, for each certificate, the desire is to tie that certificate to
>> >one or a couple MAC addresses, and to say that that certificate may only be
>> >used if it is coming from those specific MAC addresses. If the certificate is
>> >used from a different MAC address, then authentication should fail.
>> >
>> >I have tried to look for info on this on the web to no avail. I also
>> >understand that EAP-TLS authentication generally needs to be left out of the
>> >users file. But the only way that I can think of to restrict MAC addresses
>> >would be to place some kind of line involving a Calling-Station-ID in the users
>> >file. So I am at a loss.
>>
>> If you put something like:
>>
>> username Calling-Station-Id != whatever, Auth-Type := Reject
>>
>> user will not be able to connect.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>
>So how would I do the same thing for a certificate instead of a username?
Ther will be a username in EAP-TLS request too.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list