On Wed, 2019-10-23 at 23:44 +0000, Mike DiBella wrote:
The access request authorization policy should allow access if the device object is found in the directory by MAC address, and deviceCompliance is 0.
I've looked over the documentation for LDAP backend configuration, but it is heavy biased towards the authorize-by-user-identity use case.
The defaults check for the username, because that's what most people do.
Are there any configuration examples for mapping identity using MAC address? Any examples for adding custom LDAP attributes for access- adjudication?
It's all in mods-available/ldap. Update the user filter to match on something other than uid and %{Stripped-User-Name}, e.g. "(&(wiFiMAC=%{Calling-Station- Id})(deviceCompliance=0))" You can change the update{} section to copy any LDAP attributes into RADIUS attributes if you need them. -- Matthew