(Solved) Re: MAC authorisation (but not authentication) via LDAP

Martin Whinnery martin.whinnery at sbc.ac.uk
Sun Feb 25 21:05:09 CET 2007 

Martin Whinnery wrote:
> Markus Krause wrote:
>   
>> Zitat von Martin Whinnery <martin.whinnery at sbc.ac.uk>:
>>
>>   
>>     
>>> Hi.
>>>
>>> Probly just me not understanding...
>>>
>>> What I want is for our switches to only allow access to MAC addresses in
>>> our LDAP database.
>>>
>>> I don't want to store passwords on our LDAP host entries.
>>>
>>> I'm set up to check LDAP during authorisation, and it correctly returns
>>> authorised / not authorised depending on whether the appropriate
>>> attribute contains the right value.
>>>
>>> The trouble comes with authentication - either I set Auth-Type :=
>>> Accept, in which case and failed authorisation is overridden, or I allow
>>> authentication to carry on against LDAP ( or System, or whatever ), in
>>> which case it fails always and access is denied, even for authorised MACs.
>>>
>>> Is there a way to make the Authorisation part final and authoritative?
>>>
>>>
>>> As I say, probly just being stoopid.
>>>
>>>
>>> Mart
>>>
>>>
>>>     
>>>       
>> don't no if it is a good solution, but i just do this by setting the  
>> following in radiusd.conf:
>>
>> authenticate {
>>      ...
>>      Auth-Type LdapMAC {
>>         ok
>>      }
>>      ...
>> }
>>
>> the Auth-Type is set in users file depending on huntgroups:
>>
>> DEFAULT  Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
>>
>> i assume there are better/smarter sollutions as one can read "don't  
>> set Auth-Type" on many places but it works here ;-)
>>
>> regards
>>    markus
>>
>>   
>>     
> Thanks Markus,
>
> the problem seems to be that the authorisation pass returns "notfound", 
> whereas I want it to "reject", as if it found an entry in LDAP without 
> the appropriate attribute.
>
> Mart
>
>   
This was exactly the problem. What I've done is created an exec module, 
which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning 
non-zero if there's a match. So authorization *fails* rather than 
succeeds with 'not found'.

I think.

Anyway, it works.

Thanks for all your help.

Mart

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Freeradius-Users mailing list