802.1x computer authentication config issue/question

Phil Mayers p.mayers at imperial.ac.uk
Thu Dec 27 16:12:24 CET 2012 

On 12/27/2012 02:32 PM, spartan1833 at hushmail.com wrote:

> I played around with the users file in FreeRADIUS but it didn't
> seem to have any effect unless I put a DEFAULT Auth-Type Reject in
> the file which blocked everyone regardless of what else I had in
> the users file. I've Googled around a bit but haven't found any
> definitive guides on how I would do a FreeRADIUS analog to Windows
> IAS/NPS policies other than having to include ldap servers and/or
> other types of external authentication systems which I'm not really
> interested (at this point) in doing.

LDAP is not an authentication system (not really). It's a directory, 
which is a form of database.

You are, obviously, going to need some form of "database" in which your 
policy "memberships" are stored; FreeRADIUS provides several built-in 
modules (LDAP, SQL, files, passwd-style) that can do this.

However - you're going to run into the fact that EAP-TLS as implemented 
in the 2.x branch doesn't offer very much in the way of authorization - 
the only place you can run a database lookup and be sure you have the 
TLS cert details is post-auth (a virtual server step was added in 
master/3.x).

Basically:

  1. Define a local attribute in raddb/dictionary to hold your groups. 
Note carefully the stuff in the default dictionary file about local 
attribute numbers.

  2. Configure one of the various data lookup modules (passwd and files 
are the simplest but least flexible) to lookup the groups based on the 
TLS cert attributes (see below)

  3. Run this module in the post-auth section, and act on the result.

raddb/sites-available/default contains comments to this effect in 
post-auth - search for "TLS-Client" in that file, which also tells you 
the various TLS cert attributes you can use.

About the only difficult bit is step 2; I thought I'd written something 
in the wiki about this, but I can't find it (and I can't log in anymore).

If you've got a more specific question, I'll try to reply, but you'll 
need to do a bit of research into the various "database" modules and 
decide which one you want to use first.

More information about the Freeradius-Users mailing list