Mac Auth against LDAP
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Aug 23 18:25:27 CEST 2013
>
> 1. Can we somehow limit a host to connect to only a particular port/NAS
> device based on data stored in LDAP attributes (or, respectively, in
> flat files) and reject it otherwise?
Yes. See ldap_xlat http://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of NAS-IP-Address in the user object in a custom attribute.
If the query expands to something other than a zero length string, the attribute exists.
authorize {
if ("%{ldap:<query>}" == '') {
reject
}
}
> 2. Can we assign the client to a particular VLAN based on data stored
> in LDAP attributes (or, respectively, in flat files)?
Yes, using ldap.attrmap map an LDAP attribute to Tunnel-Private-Group-ID. You also need to return Tunnel-Type and Tunnel-Medium-Type but they can be static one you know you're assigning a VLAN.
http://wiki.freeradius.org/vendor/HP#RFC-3580-(single-untagged-VLAN)-Assignment
> 3. Can we configure in FreeRadius an auto email to an administrator
> when there is a MAC-auth failure with the associated info (time, MAC
> Address, NAS device, port)?
Yes, use rlm_exec in async mode and call sendmail or something similar.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Users
mailing list