Being able to verify the mac against the ldap database is the best scenario, the mysql database we are using for accounting only. I added:<br><br>DEFAULT User-Name =~ "([0-9a-fA-F]{2}:){5}[0-9a-fA-F]"<br> Auth-Type := Accept<br>
<br>to the users file, but I am still see it setting auth type to ldap after authorization:<br><br>Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: waiting for bind result ...<br>Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: Bind was successful<br>
Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: performing search in dc=gwis, with filter (&(macaddress=00:1f:3a:21:62:f8)(aaaenable=1))<br>Thu Apr 16 13:59:32 2009 : Info: [ldap] looking for check items in directory...<br>
Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: aaasimultaneoususe -> Simultaneous-Use == 1<br>Thu Apr 16 13:59:32 2009 : Info: [ldap] looking for reply items in directory...<br>Thu Apr 16 13:59:32 2009 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>
Thu Apr 16 13:59:32 2009 : Info: [ldap] Setting Auth-Type = LDAP<br><br><br><div class="gmail_quote">On Wed, Apr 15, 2009 at 5:06 PM, Kenneth Grady <span dir="ltr"><<a href="mailto:klg@lanl.gov" target="_blank">klg@lanl.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">If you don't want LDAP to authenticate your mac addresses you need to<br>
set the Auth-Type before it gets set to ldap.<br>
You can do that a number of ways (I use #3)<br>
<br>
1) try macs in the users file<br>
00:1f:3a:21:62:f8 ClearText-Password := "00:1f:3a:21:62:f8"<br>
or<br>
DEFAULT User-Name =~<br>
"^00:1f:3a:[a-fA-F0-9][a-fA-F0-9]:[a-fA-F0-9][a-fA-F0-9]:[a-fA-F0-9][a-fA-F0-9]$",<br>
Auth-Type := Accept<br>
<br>
2) or add mac addresses in your mysql database<br>
INSERT INTO radcheck VALUES<br>
(null,"${MAC-Address}","ClearText-Password",":=","${MAC-Address}");<br>
or<br>
INSERT INTO radcheck VALUES<br>
(null,"${MAC-Address}","Auth-Type",":=","Accept");<br>
<br>
3) a combination of put the DEFAULT and all MAC-Addresses in the mysql<br>
database and don't have ldap set the Auth-Type<br>
INSERT INTO radgroupcheck values (null,"DEFAULT","Auth-Type",":=","LDAP");<br>
INSERT INTO radusergroup VALUES ("DEFAULT","DEFAULT",1);<br>
INSERT INTO radgroupcheck values (null,"MAC","Auth-Type",":=","Accept");<br>
#for each MAC you want to accept replace the 00: with your mac addresses<br>
INSERT INTO radusergroup VALUES ("00:00:00:00:00:00","MAC",1);<br>
DELETE FROM radusergroup where username ="00:00:00:00:00:00";<br>
and in modules/ldap<br>
ldap {<br>
...<br>
set_auth_type = no<br>
}<br>
</blockquote></div><br>