Hi, Thanks you for the...quick reply - thought I had spelled out what I was trying to figure out in fairly clear terms:
or can guide me in how to do local (to the RADIUS server) machine policies - I just want to be able to say "laptop1234...",
etc are part of a local group and are authorized (provided that they are properly provisioned with certs, etc).
...but if not then ok I was simply trying to figure out if I was able to control machine-only 802.1x authentication against FreeRADIUS in a manner similar to how "simple" user authentication appears to be done (via the users file). From your response, it appears that the answer is "NO" and that an LDAP configuration / LDAP groups will be required. I'll look into that as time allows...and while I appreciate your quick response, I think that your comment below is a bit unwarranted - one of the points of user groups is to be able to ask the question "I don't know how...at least this has been the case for the last 15 years that I have been doing this stuff." Regards... On Thu, 27 Dec 2012 09:50:03 -0500 "Alan DeKok" <aland@deployingradius.com> wrote:
spartan1833@hushmail.com wrote:
802.1x appears to be working; any laptop with the certs/config is able to access the wired and/or wireless network and any laptop without is denied access. However, in my previous experience with RADIUS (IAS/NPS in the Windows world), I am able to control access at a policy level as well; any machine not part of a specific group is denied access, regardless of what certificate is installed and what configuration is present on the laptop.
You can do that in FreeRADIUS, too. You can do LDAP group comparisons:
http://wiki.freeradius.org/modules/Rlm_ldap
I played around with the users file in FreeRADIUS but it didn't seem to have any effect unless I put a DEFAULT Auth-Type Reject in the file which blocked everyone regardless of what else I had in
the users file.
Well... playing around isn't useful. You need to first define the problem, and then look for a solution. The problem here seems to be looking up groups in LDAP, right?
So... configure the LDAP module. Read it's documentation.
I've Googled around a bit but haven't found any definitive guides on how I would do a FreeRADIUS analog to Windows IAS/NPS policies other than having to include ldap servers and/or other types of external authentication systems which I'm not really interested (at this point) in doing.
Are groups are stored in LDAP? If so, you need to configure FreeRADIUS to talk to the LDAP server.
Guessing that I'm missing something so hoping that someone elss has done this or can guide me in how to do local (to the RADIUS server) machine policies - I just want to be able to say "laptop1234...", etc are part of a local group and are authorized (provided that they are properly provisioned with certs, etc).
Where are those groups defined?
Right now, your question is "I want to do stuff but I don't know
how". You need to describe what you want to do, in detail.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html