Phil Mayers wrote:
Mikko Husari wrote:
Mikko Husari wrote:
Hi!
im currently running eap-tls with username and password (from ldap), but now we're having a bunch of "stupid" wlan-client machines, and we need an simple mac-auth (from ldap?) to the network. basic idea: (example from outside world) "so, no certificate and login credentials, cant let you in. but im on an vip-list!. Oh, i see, come on in, sorry for inconvenience", for now we are happy to get just that to work, next level would be something concerning vlans... i think (in the long run) we don't want to have too much accessibility in those stupid machines. poorly explained, not enough coffee in veins yet...
thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wouldn't i just be able to create hints rule that says "if calling-station-id == xx-xx-xx-xx-xx permit access" , or something similar?
Yes. Like I said, it's easy.
My advice would be to use an rlm_passwd with a key of calling-station-id and use the authtype value on the module instance to set to Accept.
As I said, your AP still needs to support sending the MAC to Radius on association. I suggest you consult your AP docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
well, i managed to do a "module" that it checks the file and returns ok/not found/noop, but now my problem is that how to do so that it authorizes me according to the maclist... at the moment it checks the eap-tls module... well, theres two section on that radiusd.conf, authenticate and authorize, i tried listing that maclist module in the last and it complained that passwd modules are not allowed in there...