PEAP/MSCHAPv2 - Host Account Authentication Only

alan buxey A.L.M.Buxey at
Thu Apr 26 00:53:11 CEST 2012


> Currently FreeRadius will send back Access-Accepts for *both* user and machine/host accounts (in the Active Directory context of those terms). I would like to configure FreeRadius to ignore or reject authentication requests using the user creditionals. I spent the better part of yesterday afternoon searching the mailing list but I couldn't seem to conjure up the correct search terms to find out which configuration files I need to delve into to make this setting.

I guess a simple way would be something like this in authorise {} section of the

if ("%{User-Name}" !~ /^host\/.*\.yourAD\.realm$/i){
           update reply {
                Reply-Message = "Not an host/machine login!"


More information about the Freeradius-Users mailing list