User + Password + AMC address group authentication

Fri Jul 9 14:27:41 CEST 2010

> -----Original Message-----
> From: Alan DeKok
> Sent: Thursday, July 08, 2010 10:26 AM
> Aaron Jansen wrote:
> > For a user FreeRADIUS should check the user name, password, and the
> > MAC address. The MAC address can be one of many in a list stored in
> > a database. So, this is not about a single user logging in on only
> > one device.

This is something that I want to do here as well. I've seen the examples
for using a flat file to do this, but wanted to put it into a SQL database
for easier management, but also was not sure how to go about it and have
limited time right now for figuring it out.

>   The existing tables are for specific purposes.  If you need
> something else, don't use them.
> 
>   Create a table just for MAC addresses.  Then, do:
> 
> authorize {
> 	...
> 
> 
> 	if ("%{sql:SELECT mac FROM mac_table WHERE...}") {
> 		# mac is known
> 	}
> 	else {
> 		# mac is unknown
> 	}
> 	...
> }
> 
>   Run the SQL select by hand until you get it working, and then add
> it to the configuration file.

Having even a bit of an example like that really helps sometimes.
Especially since I only have a minor understanding (Just Enough to Be
Dangerous *TM) of SQL and FreeRADIUS. (The latter is getting better quite
regularly.) Though right now, we're quite busy and I'm not sure when I'll
get the chance to set this up, I'll be sure to share my findings when I
get the chance.

Just a quick question, I'm planning on adding a machine_name field to the
MAC address table in addition to the MAC addresses to make maintaining the
list (adding and removing MAC addresses with new machines coming in and
old ones going out) easier. Is there anything else that would be useful to
add to the table? Should I create an arbitrary key_id field or use the
mac_address field as the index or perhaps the machine name since laptops
and some other machines have multiple NICs? I might add an asset_id field
as well since that would be easier for our users to read back to us
(sticker on the outside of the equipment) for troubleshooting when
checking to make sure their machine is entered properly in the database.

Example table layout:

mac_table
##################################################
# key_id # mac_address # machine_name # asset_id #
##################################################

(Sorry for the layout, I couldn't remember exactly how SQL diagrams are
usually done and couldn't find a quick example.)

Does this seem to make the most sense or would there be a better table
design that would be more efficient? Granted, the only thing in the table
that will be regularly accessed will be the MAC address, the rest is just
for making maintaining the addresses easier and will only be accessed when
adding/removing/making sure MAC was entered correctly.

Thanks for your patience and help.

Sincerely,

-- 
John McDonnell
Penn Cambria School District
mcdonnjd at pcam.org
O< ASCII Ribbon Campaign - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4101 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100709/88d36e11/attachment.bin>