802.1x computer authentication config issue/question

[spartan1833 at hushmail.com]

Hi,

First post and new to FreeRadius though have been using RADIUS in 
the Windows world for many years. I have a small network with a 
Linux server and a mix of Windows XP and Windows 7 laptops that I 
am trying to run 802.1x authentication on. I only want to use 
computer/machine auth (user auth handled elsewhere) so I have 
FreeRADIUS set up to use EAP-TLS. I have the CA cert and the 
appropriate client certs installed on the laptops and appropriate 
client configurations for the switch and AP. I've also config'd the 
laptops to use machine auth only.

802.1x appears to be working; any laptop with the certs/config is 
able to access the wired and/or wireless network and any laptop 
without is denied access. However, in my previous experience with 
RADIUS (IAS/NPS in the Windows world), I am able to control access 
at a policy level as well; any machine not part of a specific group 
is denied access, regardless of what certificate is installed and 
what configuration is present on the laptop.

I played around with the users file in FreeRADIUS but it didn't 
seem to have any effect unless I put a DEFAULT Auth-Type Reject in 
the file which blocked everyone regardless of what else I had in 
the users file. I've Googled around a bit but haven't found any 
definitive guides on how I would do a FreeRADIUS analog to Windows 
IAS/NPS policies other than having to include ldap servers and/or 
other types of external authentication systems which I'm not really 
interested (at this point) in doing.

Guessing that I'm missing something so hoping that someone elss has 
done this or can guide me in how to do local (to the RADIUS server) 
machine policies - I just want to be able to say "laptop1234...", 
etc are part of a local group and are authorized (provided that 
they are properly provisioned with certs, etc).

Any thoughts - thanks in advance :)