>> BUT, we noted an interesting behaviour. If the client specify Windows to >> use >> another username to login, although freeradius complaints that the user >> doesn't exist on ldap, it seems it still accepts this user, as long as >> the >> certificate is fine. So, in this case, if the user isn't allowed to >> login >> because of simultaneous use, he still can change the username which he >> uses >> specifying another one (whichever, even if it doesn't exist) and voilá! >> He >> can >> now log in. >> >> I'm sure I'm missing something, but I'm not sure what. >> >> Any clue? > > Read doc/rlm_ldap, bit about access attribute. > > Ivan Kalik
Thanks Ivan. My problem is that it seems that even if the user is not allowed to login according to ldap (account doesn't exist or is disabled), access is granted as long as the certificate is valid. Alan Dekok already said that this is how EAP-TLS works, but I'm not sure if it's normal to have freeradius ignoring what rlm_ldap say about the account. Shouldn't be something like "grant access ONLY if all conditions (valid certificates, valid ldap account) apply"? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
