how to reject users which try to login w/o client certificates
Alan DeKok
aland at deployingradius.com
Fri Feb 7 14:37:12 CET 2020
On Feb 7, 2020, at 7:37 AM, uj2.hahn at posteo.de wrote:
> Question: What is an easy way to reject users who are going to connect from a machine which does not have the appropriate client certificate?
> Note: I'm talking about special users only.
There's no clear definition of "special user".
> Background: At school we have a bunch of electronic whiteboards with WLAN. All of them have the same
> username/passwd with client certs installed.
> Just to be on safe side I like to make sure that nobody else is abusing this username/passwd from another
> device. You never know....
Check MAC addresses of end user devices.
Or even better, give each device it's own name / password / client cert. That way if it shows up in two locations, you know one of them is fraudulent.
You can also give each device a username and cert name based on the MAC address of the device. Which means that you can cross-check the MAC in the certificate against the one in the RADIUS packet.
Alan DeKok.
More information about the Freeradius-Users
mailing list