RE: EAP-TLS reject if CN not in MySQL
In Doc: imply a group that changes the default ACTIONs to something like fail = 1 everythingelse = return Tried in config: everythingelse = return radiusd.conf[1637] Unknown module rcode 'everythingelse'. Also tried: everything_else = return radiusd.conf[1637] Unknown module rcode 'everything_else'. Any ideas? -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Ben Dowling Verzonden: dinsdag 27 september 2005 22:42 Aan: FreeRadius users mailing list Onderwerp: Re: EAP-TLS reject if CN not in MySQL Brilliant, that does the trick. Thanks a lot, Ben On Tue, 2005-09-27 at 16:05 -0400, Alan DeKok wrote: Ben Dowling [EMAIL PROTECTED] wrote: Sorry I was referring to the username, the CN in the certificate gets sent as the username. My problem is how to reject users with valid certificates, but no entry in the database? doc/configurable_failover configure a module always reject (see radiusd.conf) In authorize, do: ... group { sql { notfound = 1 ok = return fail = return everything_else = return } reject } That says if the user isn't found in SQL, reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS reject if CN not in MySQL
Jonathan De Graeve [EMAIL PROTECTED] wrote: imply a group that changes the default ACTIONs to something like fail = 1 everythingelse = return Tried in config: everythingelse = return radiusd.conf[1637] Unknown module rcode 'everythingelse'. It was NOT meant to be taken literally. Any ideas? Read doc/configurable_failover, and type in all the other return codes by hand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS reject if CN not in MySQL
Hi, I still haven't figured this one out, and would really appreciate some help. I've tried playing around with the DEFAULT profile in the users file, giving it Auth-Type: Reject, but certificates with CN not in the database are still authenticated. How do I get freeradius to check for the username in mysql with EAP-TLS? Cheers, Ben Ben Dowling wrote: Hi, I have freeradius-1.04 configured with MySQL using EAP-TLS and PEAP for authentication. I wish to reject users whose common name (CN) is not included in the MySQL database. I have read the thread regarding this exact problem at: http://lists.cistron.nl/pipermail/freeradius-users/2004-May/032110.html and it seems I need to set the DEFAULT profile to reject. I don't quite understand the thread though, is this the DEFAULT profile in the users file, or can I configure this in MySQL. Either way, could someone please provide me with an example of what the DEFAULT profile entry should look like in order to achieve this? Thanks for the help, Ben Dowling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS reject if CN not in MySQL
Ben Dowling [EMAIL PROTECTED] wrote: I still haven't figured this one out, and would really appreciate some help. I've tried playing around with the DEFAULT profile in the users file, giving it Auth-Type: Reject, but certificates with CN not in the database are still authenticated. How do I get freeradius to check for the username in mysql with EAP-TLS? I don't recall if you can get at the CN from the certificate. Maybe try keying off of the User-Name? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS reject if CN not in MySQL
Sorry I was referring to the username, the CN in the certificate gets sent as the username. My problem is how to reject users with valid certificates, but no entry in the database? Cheers, Ben On Tue, 2005-09-27 at 14:01 -0400, Alan DeKok wrote: Ben Dowling [EMAIL PROTECTED] wrote: I still haven't figured this one out, and would really appreciate some help. I've tried playing around with the DEFAULT profile in the users file, giving it Auth-Type: Reject, but certificates with CN not in the database are still authenticated. How do I get freeradius to check for the username in mysql with EAP-TLS? I don't recall if you can get at the CN from the certificate. Maybe try keying off of the User-Name? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS reject if CN not in MySQL
Ben Dowling [EMAIL PROTECTED] wrote: Sorry I was referring to the username, the CN in the certificate gets sent as the username. My problem is how to reject users with valid certificates, but no entry in the database? doc/configurable_failover configure a module always reject (see radiusd.conf) In authorize, do: ... group { sql { notfound = 1 ok = return fail = return everything_else = return } reject } That says if the user isn't found in SQL, reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html