PEAP/MSCHAPv2 - Host Account Authentication Only

Matthew Newton mcn4 at
Thu Apr 26 00:47:48 CEST 2012

On Wed, Apr 25, 2012 at 11:52:15AM -0800, Kevin Elliott wrote:
> Currently FreeRadius will send back Access-Accepts for *both*
> user and machine/host accounts (in the Active Directory context
> of those terms). I would like to configure FreeRadius to ignore
> or reject authentication requests using the user creditionals. I

How about, in authorize:

  if (User-Name !~ /host\//) {

as all computer auths have a User-Name that begins "host/".

Compare the incoming packets for a user auth and a machine auth.
They are different enough to determine which is which.

> My goal is to implement 802.1x authentication for devices that
> are joined to the domain. I don't want people to be able to use
> their domain creditionals to authenticate non-domain devices to
> our wireless network.

You can use the domain to push certs/keys out to all the authorized
devices by policy, and add the devices into a group if you want a
limited selection of them to connect.

Then you use EAP-TLS, check the username for host/, check the cert
was signed by you, and check the host is in the group, then let
them in. One of the biggest benefits of a domain is it will manage
all the client keys for you.

> Debugging Output:

Not really useful - you showed radiusd -X, but stopped before any
packets hit. Good job we can occasionally mind-read[0] ;)



[0] Warning: mind reading is sub-optimal and often wrong.

Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list