Re: simple mac-auth

[Phil Mayers <p.mayers@imperial.ac.uk>]

Mikko Husari wrote:
> Mikko Husari wrote:
> > Hi!
> >
> > im currently running eap-tls with username and password (from ldap), but 
> > now we're having a bunch of "stupid" wlan-client machines, and we need 
> > an simple mac-auth (from ldap?) to the network. basic idea: (example 
> > from outside world) "so, no certificate and login credentials, cant let 
> > you in. but im on an vip-list!. Oh, i see, come on in, sorry for 
> > inconvenience", for now we are happy to get just that to work, next 
> > level would be something concerning vlans... i think (in the long run) 
> > we don't want to have too much accessibility in those stupid machines. 
> > poorly explained, not enough coffee in veins yet...
> >
> > thanks in advance
> > - 
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >   
> Wouldn't i just be able to create  hints rule that says "if 
> calling-station-id ==  xx-xx-xx-xx-xx permit access" , or something similar?

Yes. Like I said, it's easy.

My advice would be to use an rlm_passwd with a key of calling-station-id 
and use the authtype value on the module instance to set to Accept.

As I said, your AP still needs to support sending the MAC to Radius on 
association. I suggest you consult your AP docs.