[email protected] wrote: > 802.1x appears to be working; any laptop with the certs/config is > able to access the wired and/or wireless network and any laptop > without is denied access. However, in my previous experience with > RADIUS (IAS/NPS in the Windows world), I am able to control access > at a policy level as well; any machine not part of a specific group > is denied access, regardless of what certificate is installed and > what configuration is present on the laptop.
You can do that in FreeRADIUS, too. You can do LDAP group comparisons: http://wiki.freeradius.org/modules/Rlm_ldap > I played around with the users file in FreeRADIUS but it didn't > seem to have any effect unless I put a DEFAULT Auth-Type Reject in > the file which blocked everyone regardless of what else I had in > the users file. Well... playing around isn't useful. You need to first define the problem, and then look for a solution. The problem here seems to be looking up groups in LDAP, right? So... configure the LDAP module. Read it's documentation. > I've Googled around a bit but haven't found any > definitive guides on how I would do a FreeRADIUS analog to Windows > IAS/NPS policies other than having to include ldap servers and/or > other types of external authentication systems which I'm not really > interested (at this point) in doing. Are groups are stored in LDAP? If so, you need to configure FreeRADIUS to talk to the LDAP server. > Guessing that I'm missing something so hoping that someone elss has > done this or can guide me in how to do local (to the RADIUS server) > machine policies - I just want to be able to say "laptop1234...", > etc are part of a local group and are authorized (provided that > they are properly provisioned with certs, etc). Where are those groups defined? Right now, your question is "I want to do stuff but I don't know how". You need to describe what you want to do, in detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
