Stephen Bowman wrote: > Ok, so I put a list of usernames in the users file with an Auth-Type := > EAP ?
No. Setting Auth-Type is almost always wrong. In this case, it will do nothing. Instead, put the "good" users into a group (see "man rlm_passwd"). Then, reject everyone who isn't in that group. > Right now, everyone with a valid client certificate is authenticated > (nobody is listed in the users file). Once I start enumerating them in > the users file, will it have an implicit deny all of everyone who isn't > in the users file? No. > Also - is there a way to define a different users file per NAS? It's a bit of work, but sure. See "Autz-Type". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html