Re: any check item available while doing EAP/TLS?
This is a discussion on Re: any check item available while doing EAP/TLS? within the FreeRADIUS Users forums, part of the Networking and Network Related category; Hi, Dustin You are absolutely right. There are no matched profile in /etc/raddb/users file after NAS-IP-Address ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-23-2005
|
|||
|
|||
Re: any check item available while doing EAP/TLS?
Hi, Dustin
You are absolutely right. There are no matched profile in /etc/raddb/users file after NAS-IP-Address changed to 10.1.3.5. In my case, freeradius let user in. It solve after I add the following DEFAULT profile to /etc/raddb/users file. DEFAULT Auth-Type := Reject I don't understand why freeradius let user with no matched profile file in by default. Now I have to deal with another problem. My user profiles will be stored in postgresql database later. I already insert mentioned profile into database but don't know how to put DEFAULT profile to database yet. Now everyone in database has full access to 2 AP just like before. :) Do you have any idea about this? I am really appreciated for you help about this issue. Thnaks, Vincent Chen --- > > Thanks for your response. I am sorry that I didn't make myself clear. For > account "Presario 2135AD", I first created this profile: > > "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.2.5 > Session-Timeout = 300 > > As we can see, the request from 10.1.2.5 and profile say this account should > connect from AP at 10.1.2.5. Everything matches and the request accepted. > > Then I deleted the above profile and replaced with this one, tried to limit > this new profile only have access to another AP at 10.1.3.5. > > "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.3.5 > Session-Timeout = 300 > > But when user who ownes "Presario 2135AD" certificate tried to connect AP at > 10.1.2.5, freeradius still accept connection. Did the new profile say >"Presario > 2135AD" certificate owner only have access to AP at 10.1.3.5 now? Why > freeradius still accept his requst from AP at 10.1.2.5? No mater what I do, > this user can connect to both AP at 10.1.2.5 and 10.1.3.5. I can't limit >this > user connect to only one of these 2 APs. > > Any idea? > Take a look at the debug output (radiusd -X) and find where your users file is matched. Then look at those lines in your users file. I would guess that your user didn't match the 10.1.3.5 entry and then fell through to some default entry. ----------------------------------------------------------------- Yahoo!奇摩造型精靈 最新的造型精靈簽名檔,讓信件獨具*茪H色彩! http://tw.avatar.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
