Reject certificate in use

[Alan DeKok]

On Nov 11, 2024, at 3:40 AM, Rodrigo Prieto <rodrigoprieto2019 at gmail.com> wrote:
> 
> Thanks for responding. I've been trying but I can't solve it. I am a novice
> user and there are things that escape me. I appreciate your help.

  FreeRADIUS isn't something where you can hit a button and it does what you want.  FreeRADIUS is more like a set of building blocks.  You can build anything you want, but you have to put the pieces together yourself.

  You said you wanted to track who is using what certificate.  This means using a database.  FreeRADIUS doesn't include it's own database.  Instead, it connects to any external database like redis, SQL, LDAP, etc.

  You need to write a database schema to store the data you want.  You need to write queries to read and write the data.  All of the documentation for how to do this is *database* documentation, and not *FreeRADIUS* documentation.  So we're not going to explain here how to use SQL, LDAP, etc.  You've got to go read that documentation.

  Once you have a schema and queries, you can just add the queries to the FreeRADIUS config.

  You then need to decide when / where to run the queries in FreeRADIUS.  You can usually write down simple explanations as sentences:

	when the user logs in, use the Calling-Station-ID to check the database for certificate information

	if it isn't found, let them log in.  And then before the server sends an Access-Accept, write the Calling-Station-ID and certificate information to the database.

	if the certificate information is found in the database, then compare the found information to the certificate.

	if the information doesn't match, reject the user.

  When you write down exactly what you want to do, the problem becomes much simpler to solve.  It's not a huge unknown thing.  Instead, it's broken down into a series of smaller problems, which are easier to solve.

  Alan DeKok.