802.1x computer authentication config issue/question

Alan DeKok aland at deployingradius.com
Thu Dec 27 17:09:27 CET 2012

spartan1833 at hushmail.com wrote:
> Thanks you for the...quick reply - thought I had spelled out what I 
> was trying to figure out in fairly clear terms:

  Yes, but you didn't saw *how* you wanted this done.  You needed to do
user group checking.  OK, FreeRADIUS isn't a database.  I asked you a
*specific* question about where the groups were stored.

  You failed to answer the question.  Do you know why the question and
answer were important?

 You have to get away from the Microsoft thinking of "the product has
one UI to do everything".  And get to the Unix thinking of "a RADIUS
server does RADIUS.  A database stores data".

> ...but if not then ok I was simply trying to figure out if I was 
> able to control machine-only 802.1x authentication against 
> FreeRADIUS in a manner similar to how "simple" user authentication 
> appears to be done (via the users file). From your response, it 
> appears that the answer is "NO" and that an LDAP configuration / 
> LDAP groups will be required.

  <sigh>  No.  You can store groups in LDAP, SQL, flat-text files, etc.
 The documentation contains examples for EACH of those.  Just (a) read
it, and (b) follow the instructions.  It's not hard.

  And You CAN control EAP-TLS via the "users" file.  Just look at the
debug output.  Take the fields from their (User-Name, etc.), and enter
them into the "users" file, with whatever policy you want.  Read the
"users" file documentation for how to create policies with it.

  LDAP is *only* to make your life easier.

> I'll look into that as time allows...and while I appreciate your 
> quick response, I think that your comment below is a bit 
> unwarranted - one of the points of user groups is to be able to ask 
> the question "I don't know how...at least this has been the case 
> for the last 15 years that I have been doing this stuff."

  I asked you specific questions about what you wanted to do, and what
you already had.  You didn't answer them.  So... I'm trying to engage
you in a conversation, and you're stone-walling me.

  As a hint: I've been doing this for 15 years.  If I ask a question,
it's because the answer HELPS ME HELP YOU.  Whining about my response is
ridiculous, and just annoys the people who are trying to help you.

  If you're not going to follow instructions, you will be unsubscribed
and banned.  I've had 15 years of trying to convince people to REALLY
no more patience for people who can't be bothered to help themselves.

  Make no mistake, we *are* here to help.  But this is a free support
list.  We assume that you can (a) describe the problem you're having,
(b) read the documentation, and (c) follow instructions to fix it.

  That's all we ask.

  Alan DeKok.

More information about the Freeradius-Users mailing list