Active Directory and Calling-Station-Id

Ethariel ethariel at gmail.com
Tue Feb 28 10:23:26 CET 2017


Hello,

so I can test this morning and your solution is working like a charm.

customer2  Calling-Station-Id == "BB-BB-BB-BB-BB-BB"

customer2  Calling-Station-Id == "CC-CC-CC-CC-CC-CC"

customer2  Auth-Type := Reject
           Reply-Message := "Wrong MAC Address"


Thks a lot for your help.
Now I'll search the doc so the server can check users in differents
groups for two SSID.
Have a good day



2017-02-22 12:37 GMT+01:00 Brian Candler <b.candler at pobox.com>:
> On 22/02/2017 08:18, Ethariel wrote:
>>
>> I've tried to insert in the users file :
>>
>> customer2 Calling-Station-Id := "BB-BB-BB-BB-BB-BB"
>>
>> but with correct password customer2 is always authenticated using the
>> BB-....-BB mac adress or not.
>
>
> The users file has some magic you need to know about.  The structure of each
> entry is like this:
>
> <key>  <first line>
>        <subsequent lines>
>
> Any comparison operators (like ==) in the first line cause an attribute to
> the *checked* on the *request* list. If any of the checks fail, this entire
> entry in the users file is skipped.  If there are more entries with the same
> key, it will try those.
>
> However, if all the checks on the first line succeed, then:
>
> * Any assignment operators (like :=) in the first line cause attributes to
> be *set* on the *control* list
> * The subsequent lines cause attributes to be *set* on the *reply* list.
>
> So you could do this:
>
> customer2  Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB"
>
> This means: "if the user name is customer2, AND the (request) calling
> station id is not the given value, THEN set control:Auth-Type to Reject". It
> will then reject them without even checking the supplied password.
>
> You could also add reply attributes if you wish:
>
> customer2  Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB"
>            Reply-Message := "Wrong MAC Address"
>
> If the condition is not true, this entire entry is skipped, so neither
> Auth-Type nor Reply-Message is set.
>
> If you want to allow multiple MAC addresses then you could either do a regex
> match, or you could split the logic like this:
>
> customer2  Calling-Station-Id == "BB-BB-BB-BB-BB-BB"
>
> customer2  Calling-Station-Id == "CC-CC-CC-CC-CC-CC"
>
> customer2  Auth-Type := Reject
>            Reply-Message := "Wrong MAC Address"
>
> The first two entries make no updates to either control or reply lists.
> However since they don't have "Fall-Through := 1" then all subsequent
> entries for the same username are skipped.
>
> All examples above untested by me, but should be close to what you need.
>
> Regards,
>
> Brian.
>


More information about the Freeradius-Users mailing list