MAC authorisation (but not authentication) via LDAP

Phil Mayers p.mayers at imperial.ac.uk
Sun Feb 25 01:20:25 CET 2007


Markus Krause wrote:

> don't no if it is a good solution, but i just do this by setting the  
> following in radiusd.conf:
> 
> authenticate {
>      ...
>      Auth-Type LdapMAC {
>         ok
>      }
>      ...
> }
> 
> the Auth-Type is set in users file depending on huntgroups:
> 
> DEFAULT  Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
> 
> i assume there are better/smarter sollutions as one can read "don't  
> set Auth-Type" on many places but it works here ;-)

Sorry, but it's an awful suggestion. Don't do it, and certainly don't 
recommend others do it. There's no need to go setting Auth-Type to 
random values.

The correct way to do this is to reject unknown, not blindly accept known.

Example - you could modify the ldap group membership query to find 
groups based on both the username and callingstationid:

groupmembership_filter = "(|
   (&(objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id}))
   (&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
  )"

Then in "ldap":

dn: cn=GoodMacs,dc=example,dc=com
objectClass: top
objectClass: GroupOfMacadds
member: 00:11:22:33:44:55
member: 66:77:88:99:aa:bb

Then in the "users" file:

DEFAULT	Ldap-Group == "GoodMacs"
	Fall-Through = No

DEFAULT	Auth-Type := Reject
	Reply-Message = "your mac is unknown"

There are lots of variations of this scheme.



More information about the Freeradius-Users mailing list