how to reject users which try to login w/o client certificates

Alan DeKok aland at
Fri Feb 7 14:37:12 CET 2020

On Feb 7, 2020, at 7:37 AM, uj2.hahn at wrote:
> Question: What is an easy way to reject users who are going to connect from a machine which does not have the appropriate client certificate?
> Note: I'm talking about special users only.

  There's no clear definition of "special user".

> Background: At school we have a bunch of electronic whiteboards with WLAN. All of them have the same
> username/passwd with client certs installed.
> Just to be on safe side I like to make sure that nobody else is abusing this username/passwd from another
> device. You never know....

  Check MAC addresses of end user devices.

  Or even better, give each device it's own name / password / client cert.  That way if it shows up in two locations, you know one of them is fraudulent.

  You can also give each device a username and cert name based on the MAC address of the device.  Which means that you can cross-check the MAC in the certificate against the one in the RADIUS packet.

  Alan DeKok.

More information about the Freeradius-Users mailing list