Christ Schlacta wrote:
so I've done some research, looking at how freeradius works now, it manages to identify hostnames from certificates which are issued to a given host, blah blah blah. suffice it to say when "lain" authenticates, it knows it's lain. I want to make sure that lain's MAC address matches what I know lain's mac address to be. more importantly, if lain's mac address isn't known, I'd like it to log the mac address (which it does now already) and NOT give an error. Also, I'd like to be able to shove hosts into groups, such as "disabled".
That can be done.
I need advice on just what information needs to be stored in openldap,
MAC addresses?
and just which changes need to be made to freeradius.
You need to write down the exact set of steps required to implement the above policy. What is in a packet? How is that information used? Where are the known MAC addresses? Where are the groups stored? What information is used to look up the groups? The overwhelming majority of issues people see when creating policies are due to poor specifications. The more detailed the specification, the more successful you will be.
I've done a little independent research, and I think I can use a definition for a host as a "device" with a cn, and an "ieee802Device" with a mac address. I can create a group of unique names, or is there some other mechanism I have to use for groups to work with freeradius?
See the rlm_ldap documentation for how it handles groups. They're usually based on User-Names. If you want a *different* kind of grouping, you'll have to create it yourself.
will this scheme work with freeradius? is there some better, more established standard to store this mapping of hostname from certificate to mac address?
Databases. SQL, LDAP, whatever. This isn't a RADIUS issue: Q: given X, how do I look up Y? A: put X and Y into a DB, and write a DB query to use X to look up Y.
and last, but not least, what do I have to do to make sure that an absence of mac address doesn't trigger a failure, but the presence of a wrong mac address does?
Write the policy for that. The MAC address is stored in the Calling-Station-Id attribute. So... "if the Calling-Station-Id exists, do MAC lookups. Otherwise, don't" Alan DeKok.