On Wed, Apr 25, 2012 at 11:52:15AM -0800, Kevin Elliott wrote: > Currently FreeRadius will send back Access-Accepts for *both* > user and machine/host accounts (in the Active Directory context > of those terms). I would like to configure FreeRadius to ignore > or reject authentication requests using the user creditionals. I
How about, in authorize: if (User-Name !~ /host\//) { reject } as all computer auths have a User-Name that begins "host/". Compare the incoming packets for a user auth and a machine auth. They are different enough to determine which is which. > My goal is to implement 802.1x authentication for devices that > are joined to the domain. I don't want people to be able to use > their domain creditionals to authenticate non-domain devices to > our wireless network. You can use the domain to push certs/keys out to all the authorized devices by policy, and add the devices into a group if you want a limited selection of them to connect. Then you use EAP-TLS, check the username for host/, check the cert was signed by you, and check the host is in the group, then let them in. One of the biggest benefits of a domain is it will manage all the client keys for you. > Debugging Output: Not really useful - you showed radiusd -X, but stopped before any packets hit. Good job we can occasionally mind-read[0] ;) Cheers Matthew [0] Warning: mind reading is sub-optimal and often wrong. -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html