Ivan Kalik <[email protected]> wrote: > >> >We are currently using EAP-TLS authentication with FreeRADIUS at the place > >> >where I work right now. Management would like to be able to restrict the > >> >use > >> >of a given certificate for this authentication to specific MAC addresses. > >> > In > >> >other words, for each certificate, the desire is to tie that certificate > >> >to > >> >one or a couple MAC addresses, and to say that that certificate may only > >> >be > >> >used if it is coming from those specific MAC addresses. If the > >> >certificate is > >> >used from a different MAC address, then authentication should fail. > >> > > >> >I have tried to look for info on this on the web to no avail. I also > >> >understand that EAP-TLS authentication generally needs to be left out of > >> >the > >> >users file. But the only way that I can think of to restrict MAC > >> >addresses > >> >would be to place some kind of line involving a Calling-Station-ID in the > >> >users > >> >file. So I am at a loss. > >> > >> If you put something like: > >> > >> username Calling-Station-Id != whatever, Auth-Type := Reject > >> > >> user will not be able to connect. > >> > >> Ivan Kalik > >> Kalik Informatika ISP > > > >So how would I do the same thing for a certificate instead of a username? > > Ther will be a username in EAP-TLS request too.
>From everything that I have been able to read, the user name in a EAP-TLS request should come from the CN value of the certificate. Does this sound correct? Thanks. John Guthrie [email protected] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
