802.1x computer authentication config issue/question
Phil Mayers
p.mayers at imperial.ac.uk
Thu Dec 27 16:12:24 CET 2012
On 12/27/2012 02:32 PM, spartan1833 at hushmail.com wrote:
> I played around with the users file in FreeRADIUS but it didn't
> seem to have any effect unless I put a DEFAULT Auth-Type Reject in
> the file which blocked everyone regardless of what else I had in
> the users file. I've Googled around a bit but haven't found any
> definitive guides on how I would do a FreeRADIUS analog to Windows
> IAS/NPS policies other than having to include ldap servers and/or
> other types of external authentication systems which I'm not really
> interested (at this point) in doing.
LDAP is not an authentication system (not really). It's a directory,
which is a form of database.
You are, obviously, going to need some form of "database" in which your
policy "memberships" are stored; FreeRADIUS provides several built-in
modules (LDAP, SQL, files, passwd-style) that can do this.
However - you're going to run into the fact that EAP-TLS as implemented
in the 2.x branch doesn't offer very much in the way of authorization -
the only place you can run a database lookup and be sure you have the
TLS cert details is post-auth (a virtual server step was added in
master/3.x).
Basically:
1. Define a local attribute in raddb/dictionary to hold your groups.
Note carefully the stuff in the default dictionary file about local
attribute numbers.
2. Configure one of the various data lookup modules (passwd and files
are the simplest but least flexible) to lookup the groups based on the
TLS cert attributes (see below)
3. Run this module in the post-auth section, and act on the result.
raddb/sites-available/default contains comments to this effect in
post-auth - search for "TLS-Client" in that file, which also tells you
the various TLS cert attributes you can use.
About the only difficult bit is step 2; I thought I'd written something
in the wiki about this, but I can't find it (and I can't log in anymore).
If you've got a more specific question, I'll try to reply, but you'll
need to do a bit of research into the various "database" modules and
decide which one you want to use first.
More information about the Freeradius-Users
mailing list