Best way to deny users not matching any groups in the SQL DB

Alan DeKok aland at
Mon Feb 22 16:32:21 CET 2016

On Feb 22, 2016, at 10:28 AM, Sylvain Munaut <s.munaut at> wrote:
> Well my use case is not that simple :)
> If you're issued a cert you can prove who you are. But then depending
> on who you proved you were, you're going to be granted / denied access
> to whatever you're requesting to access.

  That has *nothing to do with EAP-TLS*.  You're again confusing two unrelated issues.

> Well I used the "pretending to be someone else" because by default
> everything (group membership / reply attrs / ...) is keyed off
> "User-Name".
> And the User-Name gets filled with the CN if not explicitly told to do
> something else in the client. But without an explicit check it can be
> anything.

  Which is why FreeRADIUS exposes the CN, and allows you to check it.

> My understanding ATM is that they can login because they have a
> Cleartext-Password being set that allows one of the auth method to
> proceed. Sure, the usual way of setting this IS to use DB/file/...
> but if you have special config that sets it any other way, it'll work
> just as well and the presence of the user in DB/files is not actually
> strictly required.

  Yes.  The authentication process (PAP, CHAP, MS-CHAP) doesn't care where the Cleartext-Password came from.  Because it doesn't matter.

>> FreeRADIUS doesn't just let anyone connect when you've not
>> permitted them to.
> I never said it did.

  That's what you implied.

  Alan DeKok.

More information about the Freeradius-Users mailing list