@Phil, Thanks for the example - I'll do some work with it. Appreciate the additional information too...I imagine that there is a huge amount of variation within FR configurations so I get it that requests for assistance need to be as concise as possible....don't always know "exactly" what to ask sometimes though :)
Thanks again.... On Thu, 27 Dec 2012 10:40:15 -0500 "Phil Mayers" <[email protected]> wrote: >On 12/27/2012 03:19 PM, [email protected] wrote: > >> ...but if not then ok I was simply trying to figure out if I was >> able to control machine-only 802.1x authentication against >> FreeRADIUS in a manner similar to how "simple" user >authentication >> appears to be done (via the users file). From your response, it >> appears that the answer is "NO" and that an LDAP configuration / >> LDAP groups will be required. > >Not so - that's not what Alan said. You mentioned LDAP - he >naturally >assumed you were looking in that direction. > >You can use the "users" file; but you need to alter the config >slightly, >and due to the way EAP-TLS runs in 2.x, you need to use it in a >particular way. > >Try this: > >/etc/raddb/modules/tls_clients: > >files tls_clients { > key = "%{TLS-Client-Cert-Common-Name}" > usersfile = "/etc/raddb/tls_clients" >} > >/etc/raddb/sites-enabled/default > >post-auth { > ... > if (TLS-Client-Cert-Common-Name) { > tls_clients.authorize > if (notfound) { > # reject unknown users > reject > } > } > ... >} > >Modify as appropriate for your needs. > >> >> I'll look into that as time allows...and while I appreciate your >> quick response, I think that your comment below is a bit >> unwarranted - one of the points of user groups is to be able to >ask >> the question "I don't know how...at least this has been the case >> for the last 15 years that I have been doing this stuff." > >Unfortunately, the FreeRADIUS community does not have the depth >and >breadth to provide the level of support and documentation that >something >like Apache or Samba does. This means there is more onus on you to >be >specific. > >I have my theories about *why* this difference exists - >specifically, >that FR is a complex infrastructure daemon, which people set up >and >forget, as opposed to a framework that they constantly use. You >see >similar issues on other projects (ISC bind, for example) that have >these >attributes. But whatever the reason, most people post to this list >a few >times, then vanish - they don't answer questions to people who >follow >them, write docs or wiki articles, or contribute code. > >This leads to a relatively small pool of people who can answer, >and to >the expectation that you be specific so those people can use their >time >efficiently. Don't take it personally - it's just a function of >the >community size. > >Cheers, >Phil >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
