Combining ntlm_auth and mac address verification in freeradius

Phil Mayers p.mayers at imperial.ac.uk
Fri Oct 15 10:09:43 CEST 2010


On 10/15/2010 08:06 AM, Langen Mike wrote:
> Hi there.
>
> I’ve got the problem that I want to combine active directory
> authentication with mac address verification. So only user can log in
> which hardware is listed in a text file or similar.
>
> In the whole world wide web I didn’t find a hint how to combine multiple
> authentication methods in serial.

Really?

MAC "authentication" is really just a key/value lookup. You don't need 
to "combine two types of authentication" - just do a lookup of user->mac 
before doing mschap.

You haven't said, but I'm going to assume you're using 802.1x, with 
PEAP/MS-CHAP via ntlm_auth.

In which case, you want something like this:

in eap.conf:

eap {
   ...
   peap {
     ...
     copy_request_to_tunnel = yes
   }
}

in sites-enabled/inner-tunnel:

authorize {
   ...
   # do e.g. an SQL lookup
   update request {
     Tmp-Integer-0 := "%{sql:select 1 from allowed where 
username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'"
   }
   if (Tmp-Integer-0 == 1) {
      # this combination is allowed
   }
   else {
      # this one is not
      reject
   }
}


Obviously you'll need to have configured SQL and created the lookup 
table for the above example to work. You could also do this with 
"rlm_passwd", LDAP or even a "users" file. You'll need to be a bit more 
specific about your requirements if you want advice on that.
   # now lookup user/mac

>
> One possibility, but there I didn’t find anything at all, seems to be
> using the perl module. Is it possible to run a perl script before
> ntlm_auth will take place ?
>
> Thanks for your answer.
>
> Greetings from Switzerland.
>
> Mike
>




More information about the Freeradius-Users mailing list