802.1x computer authentication config issue/question

spartan1833 at hushmail.com spartan1833 at hushmail.com
Thu Dec 27 16:19:04 CET 2012


Hi,

Thanks you for the...quick reply - thought I had spelled out what I 
was trying to figure out in fairly clear terms:

> or can guide me in how to do local (to the RADIUS server) 
> machine policies - I just want to be able to say "laptop1234...", 

> etc are part of a local group and are authorized (provided that 
> they are properly provisioned with certs, etc).

...but if not then ok I was simply trying to figure out if I was 
able to control machine-only 802.1x authentication against 
FreeRADIUS in a manner similar to how "simple" user authentication 
appears to be done (via the users file). From your response, it 
appears that the answer is "NO" and that an LDAP configuration / 
LDAP groups will be required.

I'll look into that as time allows...and while I appreciate your 
quick response, I think that your comment below is a bit 
unwarranted - one of the points of user groups is to be able to ask 
the question "I don't know how...at least this has been the case 
for the last 15 years that I have been doing this stuff."

Regards...

On Thu, 27 Dec 2012 09:50:03 -0500 "Alan DeKok" 
<aland at deployingradius.com> wrote:
>spartan1833 at hushmail.com wrote:
>> 802.1x appears to be working; any laptop with the certs/config 
>is 
>> able to access the wired and/or wireless network and any laptop 
>> without is denied access. However, in my previous experience 
>with 
>> RADIUS (IAS/NPS in the Windows world), I am able to control 
>access 
>> at a policy level as well; any machine not part of a specific 
>group 
>> is denied access, regardless of what certificate is installed 
>and 
>> what configuration is present on the laptop.
>
>  You can do that in FreeRADIUS, too.  You can do LDAP group 
>comparisons:
>
>http://wiki.freeradius.org/modules/Rlm_ldap
>
>> I played around with the users file in FreeRADIUS but it didn't 
>> seem to have any effect unless I put a DEFAULT Auth-Type Reject 
>in 
>> the file which blocked everyone regardless of what else I had in 

>
>> the users file.
>
>  Well... playing around isn't useful.  You need to first define 
>the
>problem, and then look for a solution.  The problem here seems to 
>be
>looking up groups in LDAP, right?
>
>  So... configure the LDAP module.  Read it's documentation.
>
>> I've Googled around a bit but haven't found any 
>> definitive guides on how I would do a FreeRADIUS analog to 
>Windows 
>> IAS/NPS policies other than having to include ldap servers 
>and/or 
>> other types of external authentication systems which I'm not 
>really 
>> interested (at this point) in doing.
>
>  Are groups are stored in LDAP?  If so, you need to configure
>FreeRADIUS to talk to the LDAP server.
>
>> Guessing that I'm missing something so hoping that someone elss 
>has 
>> done this or can guide me in how to do local (to the RADIUS 
>server) 
>> machine policies - I just want to be able to say 
>"laptop1234...", 
>> etc are part of a local group and are authorized (provided that 
>> they are properly provisioned with certs, etc).
>
>  Where are those groups defined?
>
>  Right now, your question is "I want to do stuff but I don't know 

>how".
> You need to describe what you want to do, in detail.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list