Reject certificate in use
Alan DeKok
aland at deployingradius.com
Sun Nov 10 12:13:11 UTC 2024
On Nov 9, 2024, at 8:23 PM, Rodrigo Prieto <rodrigoprieto2019 at gmail.com> wrote:
>
> Hello, I need to configure that if a client's certificate is in use, it
> cannot be used by another. I was looking at some examples on the web but it
> didn't work for me. If you can guide me, I appreciate it.
First, define "who is using it", and "another system is using it". Once you know that information, the answer is relatively simple.
This usually means *reading* the debug output. Think ab out what's there. How does the RADIUS server "know" that the certificate is used by machine A versus machine B?
The answer is: by what's in the RADIUS packet. It's that simple. And, the information is in front of you... just read the debug output.
In general, if you want to tie a certificate to a machine, you track the MAC address (Calling-Station-ID) against the certificate. This tracking is done in a database.
Which database? Whatever one you're using, or you want to use.
How to track it? Write policies to look up the Calling-Station-Id and certificate details in the database.
Alan DeKok.
More information about the Freeradius-Users
mailing list