Mac based auth

Collen Blijenberg collen at hermanjordan.nl
Wed Nov 29 11:29:27 CET 2006 

Looks good, i was also wondering
if this could be done with mysql as backend ?!

Cheers, Collen

Phil Mayers wrote:
> jonr at destar.net wrote:
>>>> Could I also do:
>>>>
>>>> bob    password = "neil", Calling-Station-Id != "0001....", 
>>>> Auth-Type :=
>>> Reject
>>>> So that both pieces of information have to be present to be 
>>>> authenticated?
>>> No, that would always reject the user. You could do this:
>>>
>>> bob    Calling-Station-Id != "0001....", Auth-Type := Reject
>>>
>>> bob    User-Password := "neil"
>>
>> Well thats too easy. :)
>>
>>
>>> Can you instead use rlm_checkval like this:
>>>
>>> modules {
>>>    passwd user2allowedmacs {
>>>      filename = /etc/raddb/user2allowedmacs
>>>      format = "*User-Name:Calling-Station-Id"
>>>      hashsize = 100
>>>      allowmultiplekeys = yes
>>>    }
>>>    checkval usermacs {
>>>      item-name = Calling-Station-Id
>>>      check-name = Calling-Station-Id
>>>      data-type = string
>>>      notfound-reject = yes
>>>    }
>>> }
>>
>> Which file would the above be placed in and does it need to be placed 
>> in a
>> certain area of the file or can it just be added to the bottom of the 
>> file? And
>
> It's a partial fragment of radiusd.conf - you would need to inspect 
> how the radiusd.conf hierarchial config works, and put the two module 
> definitions in along with anything else you need
>
>> when I see 'rlm_' I think realm which makes me think ldap or 
>> kerberos, neither
>> of which I am using, will this be a problem?
>
> rlm == radius loadable module, nothing to do with realms (although 
> there is an rlm_realm for dealing with realms!)
>
>>
>>
>>> authorize {
>>>    preprocess
>>>    user2allowedmacs
>>>    usermacs
>>>    # other stuff
>>> }
>>
>> So whatever I name my module I will have to add to the authorize 
>> stanza in the
>> radius.conf file, correct?
>
> Yep
>
>>
>>> /etc/raddb/user2allowedmacs:
>>>
>>> user1:001122334455
>>> user1:aabbccddeeff
>>> user2:0123456789ab
>>>
>>> ...I think that ought to work?
>>
>> Thanks for the info, this is gold!
>>
>> Jon
>> - List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list