802.1x computer authentication config issue/question

Alan DeKok aland at deployingradius.com
Thu Dec 27 15:49:24 CET 2012

spartan1833 at hushmail.com wrote:
> 802.1x appears to be working; any laptop with the certs/config is 
> able to access the wired and/or wireless network and any laptop 
> without is denied access. However, in my previous experience with 
> RADIUS (IAS/NPS in the Windows world), I am able to control access 
> at a policy level as well; any machine not part of a specific group 
> is denied access, regardless of what certificate is installed and 
> what configuration is present on the laptop.

  You can do that in FreeRADIUS, too.  You can do LDAP group comparisons:


> I played around with the users file in FreeRADIUS but it didn't 
> seem to have any effect unless I put a DEFAULT Auth-Type Reject in 
> the file which blocked everyone regardless of what else I had in 
> the users file.

  Well... playing around isn't useful.  You need to first define the
problem, and then look for a solution.  The problem here seems to be
looking up groups in LDAP, right?

  So... configure the LDAP module.  Read it's documentation.

> I've Googled around a bit but haven't found any 
> definitive guides on how I would do a FreeRADIUS analog to Windows 
> IAS/NPS policies other than having to include ldap servers and/or 
> other types of external authentication systems which I'm not really 
> interested (at this point) in doing.

  Are groups are stored in LDAP?  If so, you need to configure
FreeRADIUS to talk to the LDAP server.

> Guessing that I'm missing something so hoping that someone elss has 
> done this or can guide me in how to do local (to the RADIUS server) 
> machine policies - I just want to be able to say "laptop1234...", 
> etc are part of a local group and are authorized (provided that 
> they are properly provisioned with certs, etc).

  Where are those groups defined?

  Right now, your question is "I want to do stuff but I don't know how".
 You need to describe what you want to do, in detail.

  Alan DeKok.

More information about the Freeradius-Users mailing list