RES: How to disable machine authentication

Daniel Guimaraes Pena daniel.pena at mpdft.mp.br
Thu Jun 25 19:36:13 CEST 2020 

Thanks in this solution =)
Just to report, I did your suggestion in filter policy, after "#  reject mixed case e.g. UseRNaMe" and its working perfectly
filter_username {
        if (&User-Name) {
                #
                #  negando autenticacao de maquina
                #
                if (&User-Name =~ /\// ) {
                        update request {
                                &Module-Failure-Message += 'Rejected: host authentication not allowed'
                        }
                        reject
                }

>  The "Group" attribute checks Unix groups.  Which usually don't have spaces in their names.
About this.. I understood that. (maybe not, but let's try):
For user "monitoramento" command "id monitoramento" shows:
........... 16777729(domain users),..........,10001(BUILTIN\users) 

And this user hit this entry in users file:
DEFAULT         Group == "domain users", Simultaneous-Use := 2
                Idle-Timeout := 300

So, then I tried to do the same with computers...
Look:
root at vp2-seg-008:/var/log/freeradius# id M50880
id: ‘M50880’: no such user
root at vp2-seg-008:/var/log/freeradius#

But, when I put "$":
root at vp2-seg-008:/var/log/freeradius# id M50880$
uid=16884786(m50880$) gid=16777731(domain computers) groups=16777731(domain computers),16884786(m50880$)
root at vp2-seg-008:/var/log/freeradius#

And that’s why check for group domain computers does not work: lack of "$"

Thanks a lot for the help!

-----Mensagem original-----
De: Freeradius-Users <freeradius-users-bounces+daniel.pena=mpdft.mp.br at lists.freeradius.org> Em nome de Alan DeKok
Enviada em: terça-feira, 23 de junho de 2020 20:57
Para: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Assunto: Re: How to disable machine authentication

On Jun 23, 2020, at 6:22 PM, Daniel Guimaraes Pena <daniel.pena at mpdft.mp.br> wrote:
> 
> Is it possible?

  Yes.

> I tried in users file:

  Don't "try" things.  Figure out what's going on, and write rules to match that,

> #
> # Deny access for a group of users.
> #
> # Note that there is NO 'Fall-Through' attribute, so the user will not 
> # be given any additional resources.
> #
> #DEFAULT        Group == "disabled", Auth-Type := Reject
> #               Reply-Message = "Your account has been disabled."
> #
> DEFAULT Group == "Domain Computers", Auth-Type := Reject

  The "Group" attribute checks Unix groups.  Which usually don't have spaces in their names.

>                Reply-Message = "Autenticacao de maquinas desabilitada."
> 
> DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject
>                Reply-Message = "Autenticacao de contas de servico desabilitada."
> 
> Domain Computers doesnt work. TodasContasEspeciais Works fine.

  Maybe.  The debug output isn't clear.

> Logs, if needed. (Sorry for another post so soon... I solved a lot of 
> problems but some...)

  Logs are almost always needed.

> (83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296
> (83533)   User-Name = "host/n65144.mpdft.gov.br"

  Rejecting machine authentication is simple"

authorize {
	...
	if (User-Name =~ /^host\//) {
		reject
	}
	...

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list