AW: Combining ntlm_auth and mac address verification in freeradius

Langen Mike mike.langen at ofwi.ch
Fri Oct 15 11:13:13 CEST 2010


Hi Phil.

Thank you for your quick answer. That's exactly, what I need.
Where do you get this information?
It's really hard to retrieve usable information from wiki.freeradius.org...

Is there a good resource for this kind of information? I do have difficulties to understand, how freeradius is processing a request and where I can hook my own logic into it.

Cheers Mike


-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+mike.langen=ofwi.ch at lists.freeradius.org [mailto:freeradius-users-bounces+mike.langen=ofwi.ch at lists.freeradius.org] Im Auftrag von Phil Mayers
Gesendet: Freitag, 15. Oktober 2010 10:10
An: freeradius-users at lists.freeradius.org
Betreff: Re: Combining ntlm_auth and mac address verification in freeradius

On 10/15/2010 08:06 AM, Langen Mike wrote:
> Hi there.
>
> I've got the problem that I want to combine active directory
> authentication with mac address verification. So only user can log in
> which hardware is listed in a text file or similar.
>
> In the whole world wide web I didn't find a hint how to combine multiple
> authentication methods in serial.

Really?

MAC "authentication" is really just a key/value lookup. You don't need 
to "combine two types of authentication" - just do a lookup of user->mac 
before doing mschap.

You haven't said, but I'm going to assume you're using 802.1x, with 
PEAP/MS-CHAP via ntlm_auth.

In which case, you want something like this:

in eap.conf:

eap {
   ...
   peap {
     ...
     copy_request_to_tunnel = yes
   }
}

in sites-enabled/inner-tunnel:

authorize {
   ...
   # do e.g. an SQL lookup
   update request {
     Tmp-Integer-0 := "%{sql:select 1 from allowed where 
username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'"
   }
   if (Tmp-Integer-0 == 1) {
      # this combination is allowed
   }
   else {
      # this one is not
      reject
   }
}


Obviously you'll need to have configured SQL and created the lookup 
table for the above example to work. You could also do this with 
"rlm_passwd", LDAP or even a "users" file. You'll need to be a bit more 
specific about your requirements if you want advice on that.
   # now lookup user/mac

>
> One possibility, but there I didn't find anything at all, seems to be
> using the perl module. Is it possible to run a perl script before
> ntlm_auth will take place ?
>
> Thanks for your answer.
>
> Greetings from Switzerland.
>
> Mike
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list