must i use rlm_ldap to use groups/ou via winbind/Active Directory?

Ivan Kalik tnt at
Sat May 23 12:54:16 CEST 2009

> Hmm. I don't think I like this approach for a couple of reasons,
> perhaps you can let me know if I am
> thinking about this incorrectly.
> We already use mac address as an auth scheme and I want to move away
> from this because of the ease of mac spoofing in a wireless
> environment. That's why I hoped to move to username/password
> authentication with WPA2 that was centrally managed via freeradius <=>
> Active Directory.

Fine. But what about authenticating machines? They do get to the NAS first.

> I currently  have a fairly central way to manage access by mac, but I
> would have to give that up if I had to maintain a mac address table on
> each NAS. I guess I could add a list of allowed mac addresses in the
> freeradius/users file and maintain it from there?

Yes. It's of no particular relevance for mac authentication if addresses
are stored locally or with radius server.

> Just so I understand you clearly, we can't have 1 class of users who
> must use host certs via NAS A and another class of uses who never have
> to use certs via  NAS B on the same freeradius  server?

Radius server is irrelevant. Authentication protocol is negotiated
*solely* by NAS and supplicant. For dot1x equipment you usually have three

- EAP: everybody has to do EAP - machines usually do certificates and
people certs or user/pass

- EAP + mac auth bypass: PAP is allowed for known mac addresses; everybody
else has to do EAP

- so called "open" authentication: free for all - port authentication is
switched off; you would noramally tie this to a captive portal and have
portal do authentication

On the other hand, NAS doesn't care what EAP type is supplicant using
(certificates or user/pass). In short, you can't do EAP, not require
machine certificates *and* not do mac authentication. One of these will
have to give.

What you don't seem to comprehend is that machines and people are two
completely separate things for NAS. It doesn't know who is using which
machine and it doesn't care. Neither does radius. If you do care, you will
have to create the link (by checking Calling-Station-Id).

You could probably get away with not performing mac auth (ie. not storing
any mac addresses). But considering that you need them for
Calling-Station-Id checks ... why? Do you really want unauthenticated
machines bombarding your radius server with pointless requests once a
second (there is a 1 second delay on Access-Rejects in freeradius)?

>  If that is the case I think I might want to set up a second instance
> of Freeradius and point the NAS that don't require host certs at that
> one. I could simply mint another virtual freeradius instance in
> freeradius/sites-enabled couldn't I?

No, all these policies can be implemented on the same server. With right
huntgroup/Ldap-Group combinations.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list