802.1x computer authentication config issue/question

[spartan1833 at hushmail.com]

@Phil,

Thank you very much for the code snippet - only had to make minor 
mods for it to work perfectly ("noop" instead of "notfound" in the 
reject code within the sites-enabled routine). Also I had to do an 
$INCLUDE in the users file that points to the tls_clients file 
otherwise I get unpredictable behavior - other than that working as 
envisioned. Next phase, a remote database for clients (LDAP or 
SQL....not sure which yet - thats for 2013)

Again, many, many thanks for the help - Happy Holidays...


On Thu, 27 Dec 2012 10:40:15 -0500 "Phil Mayers" 
<p.mayers at imperial.ac.uk> wrote:
>On 12/27/2012 03:19 PM, spartan1833 at hushmail.com wrote:
>
>> ...but if not then ok I was simply trying to figure out if I was
>> able to control machine-only 802.1x authentication against
>> FreeRADIUS in a manner similar to how "simple" user 
>authentication
>> appears to be done (via the users file). From your response, it
>> appears that the answer is "NO" and that an LDAP configuration /
>> LDAP groups will be required.
>
>Not so - that's not what Alan said. You mentioned LDAP - he 
>naturally 
>assumed you were looking in that direction.
>
>You can use the "users" file; but you need to alter the config 
>slightly, 
>and due to the way EAP-TLS runs in 2.x, you need to use it in a 
>particular way.
>
>Try this:
>
>/etc/raddb/modules/tls_clients:
>
>files tls_clients {
>   key = "%{TLS-Client-Cert-Common-Name}"
>   usersfile = "/etc/raddb/tls_clients"
>}
>
>/etc/raddb/sites-enabled/default
>
>post-auth {
>   ...
>   if (TLS-Client-Cert-Common-Name) {
>     tls_clients.authorize
>     if (notfound) {
>       # reject unknown users
>       reject
>     }
>   }
>   ...
>}
>
>Modify as appropriate for your needs.
>
>>
>> I'll look into that as time allows...and while I appreciate your
>> quick response, I think that your comment below is a bit
>> unwarranted - one of the points of user groups is to be able to 
>ask
>> the question "I don't know how...at least this has been the case
>> for the last 15 years that I have been doing this stuff."
>
>Unfortunately, the FreeRADIUS community does not have the depth 
>and 
>breadth to provide the level of support and documentation that 
>something 
>like Apache or Samba does. This means there is more onus on you to 

>be 
>specific.
>
>I have my theories about *why* this difference exists - 
>specifically, 
>that FR is a complex infrastructure daemon, which people set up 
>and 
>forget, as opposed to a framework that they constantly use. You 
>see 
>similar issues on other projects (ISC bind, for example) that have 

>these 
>attributes. But whatever the reason, most people post to this list 

>a few 
>times, then vanish - they don't answer questions to people who 
>follow 
>them, write docs or wiki articles, or contribute code.
>
>This leads to a relatively small pool of people who can answer, 
>and to 
>the expectation that you be specific so those people can use their 

>time 
>efficiently. Don't take it personally - it's just a function of 
>the 
>community size.
>
>Cheers,
>Phil
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html