Best way to deny users not matching any groups in the SQL DB
Alan DeKok
aland at deployingradius.com
Mon Feb 22 16:32:21 CET 2016
On Feb 22, 2016, at 10:28 AM, Sylvain Munaut <s.munaut at whatever-company.com> wrote:
> Well my use case is not that simple :)
> If you're issued a cert you can prove who you are. But then depending
> on who you proved you were, you're going to be granted / denied access
> to whatever you're requesting to access.
That has *nothing to do with EAP-TLS*. You're again confusing two unrelated issues.
> Well I used the "pretending to be someone else" because by default
> everything (group membership / reply attrs / ...) is keyed off
> "User-Name".
> And the User-Name gets filled with the CN if not explicitly told to do
> something else in the client. But without an explicit check it can be
> anything.
Which is why FreeRADIUS exposes the CN, and allows you to check it.
> My understanding ATM is that they can login because they have a
> Cleartext-Password being set that allows one of the auth method to
> proceed. Sure, the usual way of setting this IS to use DB/file/...
> but if you have special config that sets it any other way, it'll work
> just as well and the presence of the user in DB/files is not actually
> strictly required.
Yes. The authentication process (PAP, CHAP, MS-CHAP) doesn't care where the Cleartext-Password came from. Because it doesn't matter.
>> FreeRADIUS doesn't just let anyone connect when you've not
>> permitted them to.
>
> I never said it did.
That's what you implied.
Alan DeKok.
More information about the Freeradius-Users
mailing list