Eric Belcher wrote: > Each student is issued with a certificate that is used to authenticate > him to the radius server. The certificate name is his MAC address. A > corresponding NDS account exists for this MAC address.
I presume that's with EAP-TLS? > However, I have found a flaw I can't seem to find an answer for. I'm > hoping someone can help. > > If the NDS account does not exist, as long as the SSL certificate is not > revoked and is in the Freeradius database, the student will gain access. That's how EAP-TLS works. The certificate is valid, not revoked, so the user *may* be allowed in. > The radius server, does a lookup, can't find the account and just > continues on. I need the radius server to reject access is an missing > attribute causing a rejection if the account can't be found. doc/configurable_failover. If the ldap module returns "notfound", you can reject the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html