how to setup MAC based authentication with LDAP

Ben Humpert ben at an3k.de
Tue May 12 15:18:51 CEST 2015


2015-05-12 11:51 GMT+02:00 Thomas Stather
<Thomas.Stather at mpimf-heidelberg.mpg.de>:
> Hello again
>
> I have this (LDAP string has been modified because of security considerations)
>
> server macauth {
>
>  authorize {
>  preprocess
>
>  # clean the Calling-Station-ID
>  rewrite_calling_station_id
>
>  # now authenticate against LDAP
>  if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
>  reject
>  }
>  else {
>  # accept
>  update control {
>  Auth-Type := Accept
>  }
>  }
>  }

As Matthew wrote you're sending an Access-Accept as soon as the
Calling-Station-Id is found in LDAP and that doesn't work. The easiest
fix would be to send "noop" instead so that FR can continue doing it's
stuff (which is required for a complete 802.1x session) and only send
a reject when the Calling-Station-Id is not found in LDAP. So the
above code would look like

if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{
reject
}
else {
# accept
noop
}


More information about the Freeradius-Users mailing list