Reject certificate in use
Alexey D. Filimonov
alexey at filimonic.net
Sun Nov 10 12:51:35 UTC 2024
But how to store attributes to database? Is there any universal way to
write some "logs" to database the way I want?
Ex, I want to write Calling Station ID and Certificate thumbprint to
database in post-auth, and read it back in auth or pre-auth to check.
On 2024-11-10 15:13, Alan DeKok wrote:
> On Nov 9, 2024, at 8:23 PM, Rodrigo Prieto <rodrigoprieto2019 at gmail.com> wrote:
>> Hello, I need to configure that if a client's certificate is in use, it
>> cannot be used by another. I was looking at some examples on the web but it
>> didn't work for me. If you can guide me, I appreciate it.
> First, define "who is using it", and "another system is using it". Once you know that information, the answer is relatively simple.
>
> This usually means *reading* the debug output. Think ab out what's there. How does the RADIUS server "know" that the certificate is used by machine A versus machine B?
>
> The answer is: by what's in the RADIUS packet. It's that simple. And, the information is in front of you... just read the debug output.
>
> In general, if you want to tie a certificate to a machine, you track the MAC address (Calling-Station-ID) against the certificate. This tracking is done in a database.
>
> Which database? Whatever one you're using, or you want to use.
>
> How to track it? Write policies to look up the Calling-Station-Id and certificate details in the database.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list