Re: 802.1x computer authentication config issue/question

Thu, 27 Dec 2012 07:44:06 -0800 

On 12/27/2012 03:19 PM, spartan1...@hushmail.com wrote:


...but if not then ok I was simply trying to figure out if I was
able to control machine-only 802.1x authentication against
FreeRADIUS in a manner similar to how "simple" user authentication
appears to be done (via the users file). From your response, it
appears that the answer is "NO" and that an LDAP configuration /
LDAP groups will be required.
Not so - that's not what Alan said. You mentioned LDAP - he naturally assumed you were looking in that direction.
You can use the "users" file; but you need to alter the config slightly, and due to the way EAP-TLS runs in 2.x, you need to use it in a particular way. 

Try this:

/etc/raddb/modules/tls_clients:

files tls_clients {
  key = "%{TLS-Client-Cert-Common-Name}"
  usersfile = "/etc/raddb/tls_clients"
}

/etc/raddb/sites-enabled/default

post-auth {
  ...
  if (TLS-Client-Cert-Common-Name) {
    tls_clients.authorize
    if (notfound) {
      # reject unknown users
      reject
    }
  }
  ...
}

Modify as appropriate for your needs.



I'll look into that as time allows...and while I appreciate your
quick response, I think that your comment below is a bit
unwarranted - one of the points of user groups is to be able to ask
the question "I don't know how...at least this has been the case
for the last 15 years that I have been doing this stuff."
Unfortunately, the FreeRADIUS community does not have the depth and breadth to provide the level of support and documentation that something like Apache or Samba does. This means there is more onus on you to be specific.
I have my theories about *why* this difference exists - specifically, that FR is a complex infrastructure daemon, which people set up and forget, as opposed to a framework that they constantly use. You see similar issues on other projects (ISC bind, for example) that have these attributes. But whatever the reason, most people post to this list a few times, then vanish - they don't answer questions to people who follow them, write docs or wiki articles, or contribute code.
This leads to a relatively small pool of people who can answer, and to the expectation that you be specific so those people can use their time efficiently. Don't take it personally - it's just a function of the community size. 

Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to