Hi, all
I don't want my user get a certificate from me and have access to all of our
AP. I already tried to add NAS-IP-Address,NAS-Identifier as check item but none
works. No mater which AP I assign as check item for certificate, They still
have access to all our access points. It is not very secure, isn't it?
Here is request log from AP:
rad_recv: Access-Request packet from host 10.1.2.5:1024, id=171, length=95
User-Name = "Presario 2135AD"
NAS-IP-Address = 10.1.2.5
NAS-Identifier = "AWL500"
State = 0x520972a7955c03b6ae1090d3b8e32c36
EAP-Message = 0x022a00060d00
Message-Authenticator = 0x3e4904287b7a5dfdf7f71e5400bc5f46
I tried these 2 different user profile, they all have full access to all AP.
Check item NAS-IP-Address seems ignored.
"Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.2.5
Session-Timeout = 300
"Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.3.5
Session-Timeout = 300
As you can see, certificate issued to "Presario 2135AD" accepted by freeradius,
no mater which AP it was limited to has access. It bothered me for weeks, did I
do anything wrong? Please help!!!
Thanks,
Vincent Chen
-----------------------------------------------------------------
Yahoo!奇摩造型精靈
最新的造型精靈簽名檔,讓信件獨具個人色彩!
http://tw.avatar.yahoo.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
