Re: any check item available while doing EAP/TLS?

Tue, 22 Feb 2005 18:53:41 -0800 

Thanks for your response. I am sorry that I didn't make myself clear. For
account "Presario 2135AD", I first created this profile:

"Presario 2135AD"       Auth-Type := EAP, NAS-IP-Address == 10.1.2.5
                        Session-Timeout = 300

As we can see, the request from 10.1.2.5 and profile say this account should
connect from  AP at 10.1.2.5. Everything matches and the request accepted.

Then I deleted the above profile and replaced with this one, tried to limit
this  new profile only have access to another AP at 10.1.3.5.

"Presario 2135AD"       Auth-Type := EAP, NAS-IP-Address == 10.1.3.5
                        Session-Timeout = 300

But when user who ownes "Presario 2135AD" certificate tried to connect AP at
10.1.2.5, freeradius still accept connection. Did the new profile say "Presario
2135AD" certificate owner only have access to AP at 10.1.3.5 now? Why
freeradius still accept his requst from AP at 10.1.2.5? No mater what I do,
this user can connect to both AP at 10.1.2.5 and 10.1.3.5. I can't limit this
user connect to only one of these 2 APs.

Any idea?


Vincent Chen

> Hi, all
>
> I don't want my user get a certificate from me and have access to all of
> our AP. I already tried to add NAS-IP-Address,NAS-Identifier as check
> item but none works. No mater which AP I assign as check item for
> certificate, They still have access to all our access points. It is not
> very secure, isn't it?
>
> Here is request log from AP:
> rad_recv: Access-Request packet from host 10.1.2.5:1024, id=171, length=95
>         User-Name = "Presario 2135AD"
>         NAS-IP-Address = 10.1.2.5
>         NAS-Identifier = "AWL500"
>         State = 0x520972a7955c03b6ae1090d3b8e32c36
>         EAP-Message = 0x022a00060d00
>         Message-Authenticator = 0x3e4904287b7a5dfdf7f71e5400bc5f46
>
> I tried these 2 different user profile, they all have full access to all AP.
> Check item NAS-IP-Address seems ignored.
>
> "Presario 2135AD"       Auth-Type := EAP, NAS-IP-Address == 10.1.2.5
>                         Session-Timeout = 300
>
> "Presario 2135AD"       Auth-Type := EAP, NAS-IP-Address == 10.1.3.5
>                         Session-Timeout = 300
>
> As you can see, certificate issued to "Presario 2135AD" accepted by
> freeradius, no mater which AP it was limited to has access. It bothered
> me for weeks, did I do anything wrong? Please help!!!
>
>

I don't quite understand what the problem is.  That radius packet came
from 10.1.2.5 and was the Presario 2135AD user, that should match your
first users file line.  Why would you expect it not to match?

-----------------------------------------------------------------
Yahoo!奇摩造型精靈
最新的造型精靈簽名檔,讓信件獨具個人色彩!
http://tw.avatar.yahoo.com/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to