How to disable machine authentication
Alan DeKok
aland at deployingradius.com
Wed Jun 24 01:56:48 CEST 2020
On Jun 23, 2020, at 6:22 PM, Daniel Guimaraes Pena <daniel.pena at mpdft.mp.br> wrote:
>
> Is it possible?
Yes.
> I tried in users file:
Don't "try" things. Figure out what's going on, and write rules to match that,
> #
> # Deny access for a group of users.
> #
> # Note that there is NO 'Fall-Through' attribute, so the user will not
> # be given any additional resources.
> #
> #DEFAULT Group == "disabled", Auth-Type := Reject
> # Reply-Message = "Your account has been disabled."
> #
> DEFAULT Group == "Domain Computers", Auth-Type := Reject
The "Group" attribute checks Unix groups. Which usually don't have spaces in their names.
> Reply-Message = "Autenticacao de maquinas desabilitada."
>
> DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject
> Reply-Message = "Autenticacao de contas de servico desabilitada."
>
> Domain Computers doesnt work. TodasContasEspeciais Works fine.
Maybe. The debug output isn't clear.
> Logs, if needed. (Sorry for another post so soon... I solved a lot of problems but some...)
Logs are almost always needed.
> (83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296
> (83533) User-Name = "host/n65144.mpdft.gov.br"
Rejecting machine authentication is simple"
authorize {
...
if (User-Name =~ /^host\//) {
reject
}
...
Alan DeKok.
More information about the Freeradius-Users
mailing list