RES: How to disable machine authentication

Daniel Guimaraes Pena daniel.pena at
Thu Jun 25 19:36:13 CEST 2020

Thanks in this solution =)
Just to report, I did your suggestion in filter policy, after "#  reject mixed case e.g. UseRNaMe" and its working perfectly
filter_username {
        if (&User-Name) {
                #  negando autenticacao de maquina
                if (&User-Name =~ /\// ) {
                        update request {
                                &Module-Failure-Message += 'Rejected: host authentication not allowed'

>  The "Group" attribute checks Unix groups.  Which usually don't have spaces in their names.
About this.. I understood that. (maybe not, but let's try):
For user "monitoramento" command "id monitoramento" shows:
........... 16777729(domain users),..........,10001(BUILTIN\users) 

And this user hit this entry in users file:
DEFAULT         Group == "domain users", Simultaneous-Use := 2
                Idle-Timeout := 300

So, then I tried to do the same with computers...
root at vp2-seg-008:/var/log/freeradius# id M50880
id: ‘M50880’: no such user
root at vp2-seg-008:/var/log/freeradius#

But, when I put "$":
root at vp2-seg-008:/var/log/freeradius# id M50880$
uid=16884786(m50880$) gid=16777731(domain computers) groups=16777731(domain computers),16884786(m50880$)
root at vp2-seg-008:/var/log/freeradius#

And that’s why check for group domain computers does not work: lack of "$"

Thanks a lot for the help!

-----Mensagem original-----
De: Freeradius-Users < at> Em nome de Alan DeKok
Enviada em: terça-feira, 23 de junho de 2020 20:57
Para: FreeRadius users mailing list <freeradius-users at>
Assunto: Re: How to disable machine authentication

On Jun 23, 2020, at 6:22 PM, Daniel Guimaraes Pena <daniel.pena at> wrote:
> Is it possible?


> I tried in users file:

  Don't "try" things.  Figure out what's going on, and write rules to match that,

> #
> # Deny access for a group of users.
> #
> # Note that there is NO 'Fall-Through' attribute, so the user will not 
> # be given any additional resources.
> #
> #DEFAULT        Group == "disabled", Auth-Type := Reject
> #               Reply-Message = "Your account has been disabled."
> #
> DEFAULT Group == "Domain Computers", Auth-Type := Reject

  The "Group" attribute checks Unix groups.  Which usually don't have spaces in their names.

>                Reply-Message = "Autenticacao de maquinas desabilitada."
> DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject
>                Reply-Message = "Autenticacao de contas de servico desabilitada."
> Domain Computers doesnt work. TodasContasEspeciais Works fine.

  Maybe.  The debug output isn't clear.

> Logs, if needed. (Sorry for another post so soon... I solved a lot of 
> problems but some...)

  Logs are almost always needed.

> (83533) Received Access-Request Id 116 from to length 296
> (83533)   User-Name = "host/"

  Rejecting machine authentication is simple"

authorize {
	if (User-Name =~ /^host\//) {

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list