@Phil, Thanks for the info - appreciate the professional response....I'll do some additional research.
On Thu, 27 Dec 2012 10:13:43 -0500 "Phil Mayers" <[email protected]> wrote: >On 12/27/2012 02:32 PM, [email protected] wrote: > >> I played around with the users file in FreeRADIUS but it didn't >> seem to have any effect unless I put a DEFAULT Auth-Type Reject >in >> the file which blocked everyone regardless of what else I had in >> the users file. I've Googled around a bit but haven't found any >> definitive guides on how I would do a FreeRADIUS analog to >Windows >> IAS/NPS policies other than having to include ldap servers >and/or >> other types of external authentication systems which I'm not >really >> interested (at this point) in doing. > >LDAP is not an authentication system (not really). It's a >directory, >which is a form of database. > >You are, obviously, going to need some form of "database" in which >your >policy "memberships" are stored; FreeRADIUS provides several built- >in >modules (LDAP, SQL, files, passwd-style) that can do this. > >However - you're going to run into the fact that EAP-TLS as >implemented >in the 2.x branch doesn't offer very much in the way of >authorization - >the only place you can run a database lookup and be sure you have >the >TLS cert details is post-auth (a virtual server step was added in >master/3.x). > >Basically: > > 1. Define a local attribute in raddb/dictionary to hold your >groups. >Note carefully the stuff in the default dictionary file about >local >attribute numbers. > > 2. Configure one of the various data lookup modules (passwd and >files >are the simplest but least flexible) to lookup the groups based on >the >TLS cert attributes (see below) > > 3. Run this module in the post-auth section, and act on the >result. > >raddb/sites-available/default contains comments to this effect in >post-auth - search for "TLS-Client" in that file, which also tells >you >the various TLS cert attributes you can use. > >About the only difficult bit is step 2; I thought I'd written >something >in the wiki about this, but I can't find it (and I can't log in >anymore). > >If you've got a more specific question, I'll try to reply, but >you'll >need to do a bit of research into the various "database" modules >and >decide which one you want to use first. >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
