> I think as I'm using digital certificates (EAP-TLS) to authenticate > users, and the user has a valid one, if there aren't any aditional > checks in radcheck, the user has already been authenticated due to the > certificate, and is allowed to enter the network. Is that right?
Yes. But you can still reject them before the certificate is validated. Or, you can have a Certificate Revocation List that marks their certificate as invalid. > If that's the case, I think about using the exec module to call a > external shell script which checks if 'UserName' is included in my > database, and if it's not, modify 'UserName' to something like > 'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'. > Do you think there's an easier way? See "rlm_exec". Run the script, and have the script print "Auth-Type := Reject" to stdout if the user isn't found. That should cause them to be rejected. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
