gera wrote: > BUT, we noted an interesting behaviour. If the client specify Windows to use > another username to login, although freeradius complaints that the user > doesn't exist on ldap, it seems it still accepts this user, as long as the > certificate is fine.
That's how EAP-TLS works. > So, in this case, if the user isn't allowed to login > because of simultaneous use, he still can change the username which he uses > specifying another one (whichever, even if it doesn't exist) and voilá! He > can > now log in. > > I'm sure I'm missing something, but I'm not sure what. You need to update the CRL to revoke the certificate. The user then can't use it for authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html