802.1x computer authentication config issue/question

Phil Mayers p.mayers at imperial.ac.uk
Thu Dec 27 16:39:34 CET 2012 

On 12/27/2012 03:19 PM, spartan1833 at hushmail.com wrote:

> ...but if not then ok I was simply trying to figure out if I was
> able to control machine-only 802.1x authentication against
> FreeRADIUS in a manner similar to how "simple" user authentication
> appears to be done (via the users file). From your response, it
> appears that the answer is "NO" and that an LDAP configuration /
> LDAP groups will be required.

Not so - that's not what Alan said. You mentioned LDAP - he naturally 
assumed you were looking in that direction.

You can use the "users" file; but you need to alter the config slightly, 
and due to the way EAP-TLS runs in 2.x, you need to use it in a 
particular way.

Try this:

/etc/raddb/modules/tls_clients:

files tls_clients {
   key = "%{TLS-Client-Cert-Common-Name}"
   usersfile = "/etc/raddb/tls_clients"
}

/etc/raddb/sites-enabled/default

post-auth {
   ...
   if (TLS-Client-Cert-Common-Name) {
     tls_clients.authorize
     if (notfound) {
       # reject unknown users
       reject
     }
   }
   ...
}

Modify as appropriate for your needs.

>
> I'll look into that as time allows...and while I appreciate your
> quick response, I think that your comment below is a bit
> unwarranted - one of the points of user groups is to be able to ask
> the question "I don't know how...at least this has been the case
> for the last 15 years that I have been doing this stuff."

Unfortunately, the FreeRADIUS community does not have the depth and 
breadth to provide the level of support and documentation that something 
like Apache or Samba does. This means there is more onus on you to be 
specific.

I have my theories about *why* this difference exists - specifically, 
that FR is a complex infrastructure daemon, which people set up and 
forget, as opposed to a framework that they constantly use. You see 
similar issues on other projects (ISC bind, for example) that have these 
attributes. But whatever the reason, most people post to this list a few 
times, then vanish - they don't answer questions to people who follow 
them, write docs or wiki articles, or contribute code.

This leads to a relatively small pool of people who can answer, and to 
the expectation that you be specific so those people can use their time 
efficiently. Don't take it personally - it's just a function of the 
community size.

Cheers,
Phil

More information about the Freeradius-Users mailing list