Re: 802.1x computer authentication config issue/question
Hi, Thanks you for the...quick reply - thought I had spelled out what I was trying to figure out in fairly clear terms:
or can guide me in how to do local (to the RADIUS server) machine policies - I just want to be able to say "laptop1234...",
etc are part of a local group and are authorized (provided that they are properly provisioned with certs, etc).
...but if not then ok I was simply trying to figure out if I was able to control machine-only 802.1x authentication against FreeRADIUS in a manner similar to how "simple" user authentication appears to be done (via the users file). From your response, it appears that the answer is "NO" and that an LDAP configuration / LDAP groups will be required. I'll look into that as time allows...and while I appreciate your quick response, I think that your comment below is a bit unwarranted - one of the points of user groups is to be able to ask the question "I don't know how...at least this has been the case for the last 15 years that I have been doing this stuff." Regards... On Thu, 27 Dec 2012 09:50:03 -0500 "Alan DeKok" <aland@deployingradius.com> wrote:
spartan1833@hushmail.com wrote:
802.1x appears to be working; any laptop with the certs/config is able to access the wired and/or wireless network and any laptop without is denied access. However, in my previous experience with RADIUS (IAS/NPS in the Windows world), I am able to control access at a policy level as well; any machine not part of a specific group is denied access, regardless of what certificate is installed and what configuration is present on the laptop.
You can do that in FreeRADIUS, too. You can do LDAP group comparisons:
http://wiki.freeradius.org/modules/Rlm_ldap
I played around with the users file in FreeRADIUS but it didn't seem to have any effect unless I put a DEFAULT Auth-Type Reject in the file which blocked everyone regardless of what else I had in
the users file.
Well... playing around isn't useful. You need to first define the problem, and then look for a solution. The problem here seems to be looking up groups in LDAP, right?
So... configure the LDAP module. Read it's documentation.
I've Googled around a bit but haven't found any definitive guides on how I would do a FreeRADIUS analog to Windows IAS/NPS policies other than having to include ldap servers and/or other types of external authentication systems which I'm not really interested (at this point) in doing.
Are groups are stored in LDAP? If so, you need to configure FreeRADIUS to talk to the LDAP server.
Guessing that I'm missing something so hoping that someone elss has done this or can guide me in how to do local (to the RADIUS server) machine policies - I just want to be able to say "laptop1234...", etc are part of a local group and are authorized (provided that they are properly provisioned with certs, etc).
Where are those groups defined?
Right now, your question is "I want to do stuff but I don't know
how". You need to describe what you want to do, in detail.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 12/27/2012 03:19 PM, spartan1833@hushmail.com wrote:
...but if not then ok I was simply trying to figure out if I was able to control machine-only 802.1x authentication against FreeRADIUS in a manner similar to how "simple" user authentication appears to be done (via the users file). From your response, it appears that the answer is "NO" and that an LDAP configuration / LDAP groups will be required.
Not so - that's not what Alan said. You mentioned LDAP - he naturally assumed you were looking in that direction. You can use the "users" file; but you need to alter the config slightly, and due to the way EAP-TLS runs in 2.x, you need to use it in a particular way. Try this: /etc/raddb/modules/tls_clients: files tls_clients { key = "%{TLS-Client-Cert-Common-Name}" usersfile = "/etc/raddb/tls_clients" } /etc/raddb/sites-enabled/default post-auth { ... if (TLS-Client-Cert-Common-Name) { tls_clients.authorize if (notfound) { # reject unknown users reject } } ... } Modify as appropriate for your needs.
I'll look into that as time allows...and while I appreciate your quick response, I think that your comment below is a bit unwarranted - one of the points of user groups is to be able to ask the question "I don't know how...at least this has been the case for the last 15 years that I have been doing this stuff."
Unfortunately, the FreeRADIUS community does not have the depth and breadth to provide the level of support and documentation that something like Apache or Samba does. This means there is more onus on you to be specific. I have my theories about *why* this difference exists - specifically, that FR is a complex infrastructure daemon, which people set up and forget, as opposed to a framework that they constantly use. You see similar issues on other projects (ISC bind, for example) that have these attributes. But whatever the reason, most people post to this list a few times, then vanish - they don't answer questions to people who follow them, write docs or wiki articles, or contribute code. This leads to a relatively small pool of people who can answer, and to the expectation that you be specific so those people can use their time efficiently. Don't take it personally - it's just a function of the community size. Cheers, Phil
spartan1833@hushmail.com wrote:
Thanks you for the...quick reply - thought I had spelled out what I was trying to figure out in fairly clear terms:
Yes, but you didn't saw *how* you wanted this done. You needed to do user group checking. OK, FreeRADIUS isn't a database. I asked you a *specific* question about where the groups were stored. You failed to answer the question. Do you know why the question and answer were important? You have to get away from the Microsoft thinking of "the product has one UI to do everything". And get to the Unix thinking of "a RADIUS server does RADIUS. A database stores data".
...but if not then ok I was simply trying to figure out if I was able to control machine-only 802.1x authentication against FreeRADIUS in a manner similar to how "simple" user authentication appears to be done (via the users file). From your response, it appears that the answer is "NO" and that an LDAP configuration / LDAP groups will be required.
<sigh> No. You can store groups in LDAP, SQL, flat-text files, etc. The documentation contains examples for EACH of those. Just (a) read it, and (b) follow the instructions. It's not hard. And You CAN control EAP-TLS via the "users" file. Just look at the debug output. Take the fields from their (User-Name, etc.), and enter them into the "users" file, with whatever policy you want. Read the "users" file documentation for how to create policies with it. LDAP is *only* to make your life easier.
I'll look into that as time allows...and while I appreciate your quick response, I think that your comment below is a bit unwarranted - one of the points of user groups is to be able to ask the question "I don't know how...at least this has been the case for the last 15 years that I have been doing this stuff."
I asked you specific questions about what you wanted to do, and what you already had. You didn't answer them. So... I'm trying to engage you in a conversation, and you're stone-walling me. As a hint: I've been doing this for 15 years. If I ask a question, it's because the answer HELPS ME HELP YOU. Whining about my response is ridiculous, and just annoys the people who are trying to help you. If you're not going to follow instructions, you will be unsubscribed and banned. I've had 15 years of trying to convince people to REALLY READ THE DOCUMENTATION, and also to REALLY FOLLOW INSTRUCTIONS. I have no more patience for people who can't be bothered to help themselves. Make no mistake, we *are* here to help. But this is a free support list. We assume that you can (a) describe the problem you're having, (b) read the documentation, and (c) follow instructions to fix it. That's all we ask. Alan DeKok.
participants (3)
-
Alan DeKok -
Phil Mayers -
spartan1833ï¼ hushmail.com