On Wed, Apr 25, 2012 at 11:52:15AM -0800, Kevin Elliott wrote:
Currently FreeRadius will send back Access-Accepts for *both* user and machine/host accounts (in the Active Directory context of those terms). I would like to configure FreeRadius to ignore or reject authentication requests using the user creditionals. I
How about, in authorize: if (User-Name !~ /host\//) { reject } as all computer auths have a User-Name that begins "host/". Compare the incoming packets for a user auth and a machine auth. They are different enough to determine which is which.
My goal is to implement 802.1x authentication for devices that are joined to the domain. I don't want people to be able to use their domain creditionals to authenticate non-domain devices to our wireless network.
You can use the domain to push certs/keys out to all the authorized devices by policy, and add the devices into a group if you want a limited selection of them to connect. Then you use EAP-TLS, check the username for host/, check the cert was signed by you, and check the host is in the group, then let them in. One of the biggest benefits of a domain is it will manage all the client keys for you.
Debugging Output:
Not really useful - you showed radiusd -X, but stopped before any packets hit. Good job we can occasionally mind-read[0] ;) Cheers Matthew [0] Warning: mind reading is sub-optimal and often wrong. -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>