BLANCA FERRERO RODRIGUEZ wrote:
sotty to insist but could you tell me how to do this exactly?is there any way that I can control this access of users with the users file although they have a correct cert?
you should add a default behaviour which is reject, ie. a DEFAULT entry with Auth-Type = Reject e.g. and see the Fall-Through variable for a proper usage.
logically, you will have to explicitly add _every_ user which is "known". now, for every pre-configured user, you can reject his access equally by adding an Auth-Type = Reject to his entry.
there are examples in the 'users' file.
attention though: the denial of users will be solely based on the User-Name content. strictly spoken, this is *not* what is certified in the certificate, it is merely data copied from the EAP-Identity field by the NAS. thus, if your wireless client decides to write a name of an authorized user into the EAP-Identity Response, he will be granted to access the system.
to my knowledge, patches are needed to stop this (something has to check whether the User-Name equals something (CN?) in the certificate).
ciao artur
-- Artur Hecker artur[at]hecker.info
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
