Authorise based on Calling Station ID ?

Darren Ward (darrward) darrward at cisco.com
Wed Mar 12 21:28:58 CET 2014 

Maybe the question I need to ask first is how can we have two usernames for the same user?

i.e. 'jonathan' and 'a463.0dfe.ab36' as usernames for the same account credentials?

Darren

-----Original Message-----
From: freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org] On Behalf Of Darren Ward (darrward)
Sent: Tuesday, 11 March 2014 10:21 AM
To: FreeRadius users mailing list
Subject: RE: Authorise based on Calling Station ID ?

Apologies again!

The Wireless Controller (WLC) will send an Accounting Start to the FreeRADIUS with the username and calling-station-id after it successfully Authen's the user

Then traffic for that mac address will be seen by the Policy Manager and it will then go and request an authorize for that mac address from FreeRADIUS

So the authorise will be after the accounting start because they are separate NAS/Client as far as FreeRADIUS is concerned

The WLC access-request username is the username and the ISG username is seen as the mac-address

I'm wondering if there's any way to access the cache or accounting records to try and do the match up?

Darren

-----Original Message-----
From: freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Tuesday, 11 March 2014 8:49 AM
To: FreeRadius users mailing list
Subject: Re: Authorise based on Calling Station ID ?

Darren Ward (darrward) wrote:
> I guess the question is because the accounting files are the only place that contains both the calling-station-id and username how can I write unlang in the authorise that would be able to look up the active session to match the mac address?

  If the Calling-Station-ID and User-Name only appear in accounting messages, then you can't check for them in the authorize section.

> i.e. I would need to parse the accounting files for the mac address 
> and find the matching username then look up the username in the 
> 'users' file to authorise with the appropriate attributes

  That won't work.  Accounting happens AFTER authorization.  You'll need to find another solution.

  Run the server in debugging mode.  Odds are you'll see something useful in the Access-Request.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list