How to disable machine authentication

Alan DeKok aland at deployingradius.com
Wed Jun 24 01:56:48 CEST 2020


On Jun 23, 2020, at 6:22 PM, Daniel Guimaraes Pena <daniel.pena at mpdft.mp.br> wrote:
> 
> Is it possible?

  Yes.

> I tried in users file:

  Don't "try" things.  Figure out what's going on, and write rules to match that,

> #
> # Deny access for a group of users.
> #
> # Note that there is NO 'Fall-Through' attribute, so the user will not
> # be given any additional resources.
> #
> #DEFAULT        Group == "disabled", Auth-Type := Reject
> #               Reply-Message = "Your account has been disabled."
> #
> DEFAULT Group == "Domain Computers", Auth-Type := Reject

  The "Group" attribute checks Unix groups.  Which usually don't have spaces in their names.

>                Reply-Message = "Autenticacao de maquinas desabilitada."
> 
> DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject
>                Reply-Message = "Autenticacao de contas de servico desabilitada."
> 
> Domain Computers doesnt work. TodasContasEspeciais Works fine.

  Maybe.  The debug output isn't clear.

> Logs, if needed. (Sorry for another post so soon... I solved a lot of problems but some...)

  Logs are almost always needed.

> (83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296
> (83533)   User-Name = "host/n65144.mpdft.gov.br"

  Rejecting machine authentication is simple"

authorize {
	...
	if (User-Name =~ /^host\//) {
		reject
	}
	...

  Alan DeKok.




More information about the Freeradius-Users mailing list