MAC authorisation (but not authentication) via LDAP

Martin Whinnery martin.whinnery at sbc.ac.uk
Sun Feb 25 01:25:48 CET 2007


Markus Krause wrote:
> Zitat von Martin Whinnery <martin.whinnery at sbc.ac.uk>:
>
>   
>> Hi.
>>
>> Probly just me not understanding...
>>
>> What I want is for our switches to only allow access to MAC addresses in
>> our LDAP database.
>>
>> I don't want to store passwords on our LDAP host entries.
>>
>> I'm set up to check LDAP during authorisation, and it correctly returns
>> authorised / not authorised depending on whether the appropriate
>> attribute contains the right value.
>>
>> The trouble comes with authentication - either I set Auth-Type :=
>> Accept, in which case and failed authorisation is overridden, or I allow
>> authentication to carry on against LDAP ( or System, or whatever ), in
>> which case it fails always and access is denied, even for authorised MACs.
>>
>> Is there a way to make the Authorisation part final and authoritative?
>>
>>
>> As I say, probly just being stoopid.
>>
>>
>> Mart
>>
>>
>>     
> don't no if it is a good solution, but i just do this by setting the  
> following in radiusd.conf:
>
> authenticate {
>      ...
>      Auth-Type LdapMAC {
>         ok
>      }
>      ...
> }
>
> the Auth-Type is set in users file depending on huntgroups:
>
> DEFAULT  Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
>
> i assume there are better/smarter sollutions as one can read "don't  
> set Auth-Type" on many places but it works here ;-)
>
> regards
>    markus
>
>   
Thanks Markus,

the problem seems to be that the authorisation pass returns "notfound", 
whereas I want it to "reject", as if it found an entry in LDAP without 
the appropriate attribute.

Mart

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the Freeradius-Users mailing list