Dynamic Vlan with 802.1x and mac adress

[Brian Julin]

Yaël Rozanes <irozanes387 at hotmail.fr>:

> I think I understand what you recommend, for now I authenticate my supplicant with an id/mdp couple ( that I get on a Ldap server) in EAP-TTLS but I would have liked to do the same with only the mac address using for example a MySQL database

Ah, this is different than what I understood.  If you are using EAP-TTLS to do this your supplicant will still have to do some sort of inner authentication.  For example, you could use a hard-coded Clear-Text-Password on the FreeRADIUS side for all hosts and set your supplicants all to use that password, and then use the Calling-Station-Id for authentication and authorization decisions.  This is fairly weak from a security standpoint, but doable.  Normal practice is to use a real password and use the Calling-Station-Id only for authorization purposes.

> If I understand correctly, you advise me to use another field of my ldap which would contain my @mac and to link it to the attribute "Calling-Station-Id"?

Should work, but you may have to write unlang statements to do what you want with the attribute.  You would not necessarily want to map the LDAP attribute to Calling-Station-Id... that attribute should already be there in the request, provided by the NAS.  Just grab the MAC from LDAP into any old attribute and compare them in unlang.