> Hi, all > > I don't want my user get a certificate from me and have access to all of > our AP. I already tried to add NAS-IP-Address,NAS-Identifier as check > item but none works. No mater which AP I assign as check item for > certificate, They still have access to all our access points. It is not > very secure, isn't it? > > Here is request log from AP: > rad_recv: Access-Request packet from host 10.1.2.5:1024, id=171, length=95 > User-Name = "Presario 2135AD" > NAS-IP-Address = 10.1.2.5 > NAS-Identifier = "AWL500" > State = 0x520972a7955c03b6ae1090d3b8e32c36 > EAP-Message = 0x022a00060d00 > Message-Authenticator = 0x3e4904287b7a5dfdf7f71e5400bc5f46 > > I tried these 2 different user profile, they all have full access to all AP. > Check item NAS-IP-Address seems ignored. > > "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.2.5 > Session-Timeout = 300 > > "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.3.5 > Session-Timeout = 300 > > As you can see, certificate issued to "Presario 2135AD" accepted by > freeradius, no mater which AP it was limited to has access. It bothered > me for weeks, did I do anything wrong? Please help!!! > >
I don't quite understand what the problem is. That radius packet came from 10.1.2.5 and was the Presario 2135AD user, that should match your first users file line. Why would you expect it not to match? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
