802.1x computer authentication config issue/question

spartan1833 at hushmail.com spartan1833 at hushmail.com
Thu Dec 27 16:23:33 CET 2012


Thanks for the info - appreciate the professional response....I'll 
do some additional research.

On Thu, 27 Dec 2012 10:13:43 -0500 "Phil Mayers" 
<p.mayers at imperial.ac.uk> wrote:
>On 12/27/2012 02:32 PM, spartan1833 at hushmail.com wrote:
>> I played around with the users file in FreeRADIUS but it didn't
>> seem to have any effect unless I put a DEFAULT Auth-Type Reject 
>> the file which blocked everyone regardless of what else I had in
>> the users file. I've Googled around a bit but haven't found any
>> definitive guides on how I would do a FreeRADIUS analog to 
>> IAS/NPS policies other than having to include ldap servers 
>> other types of external authentication systems which I'm not 
>> interested (at this point) in doing.
>LDAP is not an authentication system (not really). It's a 
>which is a form of database.
>You are, obviously, going to need some form of "database" in which 

>policy "memberships" are stored; FreeRADIUS provides several built-

>modules (LDAP, SQL, files, passwd-style) that can do this.
>However - you're going to run into the fact that EAP-TLS as 
>in the 2.x branch doesn't offer very much in the way of 
>authorization - 
>the only place you can run a database lookup and be sure you have 
>TLS cert details is post-auth (a virtual server step was added in 
>  1. Define a local attribute in raddb/dictionary to hold your 
>Note carefully the stuff in the default dictionary file about 
>attribute numbers.
>  2. Configure one of the various data lookup modules (passwd and 
>are the simplest but least flexible) to lookup the groups based on 

>TLS cert attributes (see below)
>  3. Run this module in the post-auth section, and act on the 
>raddb/sites-available/default contains comments to this effect in 
>post-auth - search for "TLS-Client" in that file, which also tells 

>the various TLS cert attributes you can use.
>About the only difficult bit is step 2; I thought I'd written 
>in the wiki about this, but I can't find it (and I can't log in 
>If you've got a more specific question, I'll try to reply, but 
>need to do a bit of research into the various "database" modules 
>decide which one you want to use first.
>List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list