how to setup MAC based authentication with LDAP

Stefan Paetow Stefan.Paetow at
Wed Apr 22 11:58:30 CEST 2015

>radiusservicetype: Framed-User
>radiustunnelmediumtype: IEEE-802
>radiustunnelprivategroupid: 1
>radiustunneltype: VLAN

For these, you probably should use a proper LDAP module mapping so that it
pulls things in in one go. In FR 3.0.3, you can do this in the ldap module
in mods-available.

Around line 72 (assuming you've not stripped all the comments), you will
find the update section, which returns attributes from LDAP. By default,
you find the line "control:Password-With-Header" which maps the
userPassword LDAP attribute to an attribute in the control list (which
persists). So you need to map your other LDAP attributes in a similar
fashion accordingly in the update section:

reply:Service-Type := 'radiusservicetype'
reply:Tunnel-Medium-Type := 'radiustunnelmediumtype'

This assumes that you take the LDAP xlat (the "%{ldap:...}" 'thing') and
use it in the proper LDAP module, otherwise you may need to make several
ldap xlat calls to set the attributes.

>second, when the virtual server is enabled, the authentication that i do
>to log into a switch does not work.  if i disable the virtual server the
>auth works again.  how do i setup things so that both user auth and mac
>auth bypass work at the same time?

Considering that the MAC address provided will be in a specific format,
you can possibly look at the format of the username to discover whether it
is a user or not, and set the authentication accordingly. You can do this
in the authorize section with unlang. I'd suggest that you also make sure
that your users use a proper NAI format username in their authentication,
i.e. "username at realm", which you can again use to distinguish between
users and devices. 

I'm sure Alan Buxey and others will have similar/better suggestions
because they do this kind of stuff every day :-)

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at
skype: stefan.paetow.janet

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a
company limited by guarantee which is registered in England under Company
No. number 2881024, VAT No. GB 197 0632 86. The registered office is:
Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T
01235 822200.


More information about the Freeradius-Users mailing list