802.1x computer authentication config issue/question

spartan1833 at hushmail.com spartan1833 at hushmail.com
Thu Dec 27 16:23:33 CET 2012 

@Phil,

Thanks for the info - appreciate the professional response....I'll 
do some additional research.

On Thu, 27 Dec 2012 10:13:43 -0500 "Phil Mayers" 
<p.mayers at imperial.ac.uk> wrote:
>On 12/27/2012 02:32 PM, spartan1833 at hushmail.com wrote:
>
>> I played around with the users file in FreeRADIUS but it didn't
>> seem to have any effect unless I put a DEFAULT Auth-Type Reject 
>in
>> the file which blocked everyone regardless of what else I had in
>> the users file. I've Googled around a bit but haven't found any
>> definitive guides on how I would do a FreeRADIUS analog to 
>Windows
>> IAS/NPS policies other than having to include ldap servers 
>and/or
>> other types of external authentication systems which I'm not 
>really
>> interested (at this point) in doing.
>
>LDAP is not an authentication system (not really). It's a 
>directory, 
>which is a form of database.
>
>You are, obviously, going to need some form of "database" in which 

>your 
>policy "memberships" are stored; FreeRADIUS provides several built-

>in 
>modules (LDAP, SQL, files, passwd-style) that can do this.
>
>However - you're going to run into the fact that EAP-TLS as 
>implemented 
>in the 2.x branch doesn't offer very much in the way of 
>authorization - 
>the only place you can run a database lookup and be sure you have 
>the 
>TLS cert details is post-auth (a virtual server step was added in 
>master/3.x).
>
>Basically:
>
>  1. Define a local attribute in raddb/dictionary to hold your 
>groups. 
>Note carefully the stuff in the default dictionary file about 
>local 
>attribute numbers.
>
>  2. Configure one of the various data lookup modules (passwd and 
>files 
>are the simplest but least flexible) to lookup the groups based on 

>the 
>TLS cert attributes (see below)
>
>  3. Run this module in the post-auth section, and act on the 
>result.
>
>raddb/sites-available/default contains comments to this effect in 
>post-auth - search for "TLS-Client" in that file, which also tells 

>you 
>the various TLS cert attributes you can use.
>
>About the only difficult bit is step 2; I thought I'd written 
>something 
>in the wiki about this, but I can't find it (and I can't log in 
>anymore).
>
>If you've got a more specific question, I'll try to reply, but 
>you'll 
>need to do a bit of research into the various "database" modules 
>and 
>decide which one you want to use first.
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list