Best way to deny users not matching any groups in the SQL DB
Matthew Newton
mcn4 at leicester.ac.uk
Mon Feb 22 15:49:20 CET 2016
On Mon, Feb 22, 2016 at 03:07:13PM +0100, Sylvain Munaut wrote:
> The cert CN vs User-Name in EAP-TLS is a good example. If I hadn't
> seen that comment in check-eap-tls, I could have completely overlooked
> it and then anyone with a valid cert could just pretend to be someone
> else ...
EAP-TLS is based around one thing - if you can present a valid
certificate then you are permitted to connect.
There's no such thing as "pretending to be someone else". Yes, you
could steal someone elses certificate and key. You could also
steal their username and password for a different authentication
method...
> The very first time I configured FreeRadius, I fully expected that if
> a username wasn't anywhere in the DB, it would fail auth. Obviously
> that's no the case at all and that's not the way it works at all in
> RADIUS, but at the time, I didn't know any better.
check-eap-tls is for the slightly less usual situation where you
want to do additional checks on the client certifiacte presented.
It's not a "this is how you authenticate this person" - EAP-TLS
authenticates everyone you've issued a certificate to by
definition.
The example case of check-eap-tls (which is the reason I wrote it)
is that we have here a Microsoft domain where all domain joined
PCs are issued certificates, and can therefore connect. But we
want to limit the ones that can connect to a particular subset of
machines.
Usually you would just not issue certs to the PCs you didn't want
to connect. That wasn't possible here, hence the possibility of an
additional check to restrict what would normally be controlled
elsewhere.
This doesn't hold for other parts of FreeRADIUS. Users can log in
because they're in the users file, or a database, etc. Adding them
to those data sources is like issuing the certificate. Not having
them in the database means they can't connect.
FreeRADIUS doesn't just let anyone connect when you've not
permitted them to.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list