Verify certificate <-> mac mapping in openldap..
Christ Schlacta
lists at aarcane.org
Tue Dec 21 00:39:01 CET 2010
so I've done some research, looking at how freeradius works now, it
manages to identify hostnames from certificates which are issued to a
given host, blah blah blah. suffice it to say when "lain"
authenticates, it knows it's lain. I want to make sure that lain's MAC
address matches what I know lain's mac address to be. more importantly,
if lain's mac address isn't known, I'd like it to log the mac address
(which it does now already) and NOT give an error. Also, I'd like to be
able to shove hosts into groups, such as "disabled".
I need advice on just what information needs to be stored in openldap,
and just which changes need to be made to freeradius.
I've done a little independent research, and I think I can use a
definition for a host as a "device" with a cn, and an "ieee802Device"
with a mac address. I can create a group of unique names, or is there
some other mechanism I have to use for groups to work with freeradius?
will this scheme work with freeradius? is there some better, more
established standard to store this mapping of hostname from certificate
to mac address?
and last, but not least, what do I have to do to make sure that an
absence of mac address doesn't trigger a failure, but the presence of a
wrong mac address does?
More information about the Freeradius-Users
mailing list