PEAP/MSCHAPv2 - Host Account Authentication Only
Matthew Newton
mcn4 at leicester.ac.uk
Thu Apr 26 00:47:48 CEST 2012
On Wed, Apr 25, 2012 at 11:52:15AM -0800, Kevin Elliott wrote:
> Currently FreeRadius will send back Access-Accepts for *both*
> user and machine/host accounts (in the Active Directory context
> of those terms). I would like to configure FreeRadius to ignore
> or reject authentication requests using the user creditionals. I
How about, in authorize:
if (User-Name !~ /host\//) {
reject
}
as all computer auths have a User-Name that begins "host/".
Compare the incoming packets for a user auth and a machine auth.
They are different enough to determine which is which.
> My goal is to implement 802.1x authentication for devices that
> are joined to the domain. I don't want people to be able to use
> their domain creditionals to authenticate non-domain devices to
> our wireless network.
You can use the domain to push certs/keys out to all the authorized
devices by policy, and add the devices into a group if you want a
limited selection of them to connect.
Then you use EAP-TLS, check the username for host/, check the cert
was signed by you, and check the host is in the group, then let
them in. One of the biggest benefits of a domain is it will manage
all the client keys for you.
> Debugging Output:
Not really useful - you showed radiusd -X, but stopped before any
packets hit. Good job we can occasionally mind-read[0] ;)
Cheers
Matthew
[0] Warning: mind reading is sub-optimal and often wrong.
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list