how to reject users which try to login w/o client certificates

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

how to reject users which try to login w/o client certificates

uj2.hahn
Hi!
Question: What is an easy way to reject users who are going to connect
from a machine which does not have the appropriate client certificate?
Note: I'm talking about special users only.

Background: At school we have a bunch of electronic whiteboards with
WLAN. All of them have the same
username/passwd with client certs installed.
Just to be on safe side I like to make sure that nobody else is abusing
this username/passwd from another
device. You never know....

Thanks a lot

Uwe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: how to reject users which try to login w/o client certificates

Alan DeKok-2
On Feb 7, 2020, at 7:37 AM, [hidden email] wrote:
> Question: What is an easy way to reject users who are going to connect from a machine which does not have the appropriate client certificate?
> Note: I'm talking about special users only.

  There's no clear definition of "special user".

> Background: At school we have a bunch of electronic whiteboards with WLAN. All of them have the same
> username/passwd with client certs installed.
> Just to be on safe side I like to make sure that nobody else is abusing this username/passwd from another
> device. You never know....

  Check MAC addresses of end user devices.

  Or even better, give each device it's own name / password / client cert.  That way if it shows up in two locations, you know one of them is fraudulent.

  You can also give each device a username and cert name based on the MAC address of the device.  Which means that you can cross-check the MAC in the certificate against the one in the RADIUS packet.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html