spartan1833@hushmail.com wrote:
802.1x appears to be working; any laptop with the certs/config is able to access the wired and/or wireless network and any laptop without is denied access. However, in my previous experience with RADIUS (IAS/NPS in the Windows world), I am able to control access at a policy level as well; any machine not part of a specific group is denied access, regardless of what certificate is installed and what configuration is present on the laptop.
You can do that in FreeRADIUS, too. You can do LDAP group comparisons: http://wiki.freeradius.org/modules/Rlm_ldap
I played around with the users file in FreeRADIUS but it didn't seem to have any effect unless I put a DEFAULT Auth-Type Reject in the file which blocked everyone regardless of what else I had in the users file.
Well... playing around isn't useful. You need to first define the problem, and then look for a solution. The problem here seems to be looking up groups in LDAP, right? So... configure the LDAP module. Read it's documentation.
I've Googled around a bit but haven't found any definitive guides on how I would do a FreeRADIUS analog to Windows IAS/NPS policies other than having to include ldap servers and/or other types of external authentication systems which I'm not really interested (at this point) in doing.
Are groups are stored in LDAP? If so, you need to configure FreeRADIUS to talk to the LDAP server.
Guessing that I'm missing something so hoping that someone elss has done this or can guide me in how to do local (to the RADIUS server) machine policies - I just want to be able to say "laptop1234...", etc are part of a local group and are authorized (provided that they are properly provisioned with certs, etc).
Where are those groups defined? Right now, your question is "I want to do stuff but I don't know how". You need to describe what you want to do, in detail. Alan DeKok.