>> >We are currently using EAP-TLS authentication with FreeRADIUS at the place >> >where I work right now. Management would like to be able to restrict the >> >use >> >of a given certificate for this authentication to specific MAC addresses. >> >In >> >other words, for each certificate, the desire is to tie that certificate to >> >one or a couple MAC addresses, and to say that that certificate may only be >> >used if it is coming from those specific MAC addresses. If the certificate >> >is >> >used from a different MAC address, then authentication should fail. >> > >> >I have tried to look for info on this on the web to no avail. I also >> >understand that EAP-TLS authentication generally needs to be left out of the >> >users file. But the only way that I can think of to restrict MAC addresses >> >would be to place some kind of line involving a Calling-Station-ID in the >> >users >> >file. So I am at a loss. >> >> If you put something like: >> >> username Calling-Station-Id != whatever, Auth-Type := Reject >> >> user will not be able to connect. >> >> Ivan Kalik >> Kalik Informatika ISP > >So how would I do the same thing for a certificate instead of a username?
Ther will be a username in EAP-TLS request too. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html