Hello, I'm trying to set up MAC and 802.1x authentication and have a couple of questions. For right now I'm just working on the MAC authentication. Here's some info on my system: CentOS 5.2 [root@radius01 freeradius-1.1.3]# radiusd -v radiusd: FreeRADIUS Version 1.1.3, for host x86_64-redhat-linux-gnu, built on May 10 2007 at 12:24:01 Connecting on backend to OpenLDAP 2.3.39. Although in the production environment I will be running a replica on the radius server for testing I'm using a test LDAP server that I can modify at will. MAC addresses live in: ou=Devices,ou=Network,dc=mbl,dc=edu typical entry: dn: cn=00-0C-F1-94-2A-9D,ou=Devices,ou=Network,dc=mbl,dc=edu cn: 00-0C-F1-94-2A-9D userPassword:: c25rUnN3bQ== radiusCheckItem: 35452 radiusExpiration: 2030123100:00:00 description: SSH gateway objectClass: device objectClass: ieee802Device objectClass: radiusprofile objectClass: simpleSecurityObject objectClass: top macAddress: 00:0C:F1:94:2A:9D radiusFilterId: Enterasys:version=1:policy=F-Servers What I want to do is if a lookup in LDAP fails return ACCEPT and the string "radiusFilterId: Enterasys:version=1:policy=D-Unregistered" where a policy will be applied on the port that is associated wit "D-Unregistered". ############################ radiusd.conf ####################### ... modules { ldap devices { server = "x.x.x.x" identity = "cn=radiusd,ou=users,dc=mbl,dc=edu" password = supersecretpassword basedn = "ou=devices,ou=network,dc=mbl,dc=edu" filter = "(cn=%{User-Name})" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 #password_header = "{clear}" password_attribute = userPassword timeout = 3 timelimit = 5 net_timeout = 1 compare_check_items = no access_attr = "radiusFilterId" } ldap 802_1x { server = "x.x.x.x" identity = "cn=radiusd,ou=users,dc=mbl,dc=edu" password = supersecretpassword basedn = "ou=users,dc=mbl,dc=edu" filter = "(cn=%{User-Name})" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 #password_header = "{clear}" password_attribute = userPassword timeout = 3 timelimit = 5 net_timeout = 1 compare_check_items = no access_attr = "networkProfile" } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } pap { encryption_scheme = md5 auto_header = no } chap { authtype = CHAP } preprocess { huntgroups = ${confdir}/huntgroups #hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users #acctusersfile = ${confdir}/acct_users compat = no #use old style users } # regular detail files detail detail1 { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 dirperm = 0755 } # temp detail file to replicate to accountrad detail detail2 { detailfile= ${radacctdir}/detail-combined detailperm = 0600 dirperm = 0755 locking = yes } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } # # The 'expression' module current has no configuration. expr { } } instantiate { expr } authorize { preprocess Autz-Type LDAP1 { devices } Autz-Type LDAP2 { 802_1x chap mschap eap } files } authenticate { authtype PAP { pap } authtype CHAP { chap } authtype MS-CHAP { mschap } authtype LDAP1 { devices } authtype LDAP2 { 802_1x } eap } preacct { preprocess files } accounting { acct_unique detail1 detail2 #radutmp #sradutmp } ############################ users ####################### DEFAULT Client-IP-Address == "172.x.x.1", Auth-Type := LDAP1, Autz-Type:= LDAP1, Auth-Type := ACCEPT, Filter-Id := "Enterasys:version=1:policy=D-Unregistered" DEFAULT Client-IP-Address == "172.x.x.2", Auth-Type := LDAP2, Autz-Type:= LDAP2 DEFAULT Autz-Type = LDAP1, Auth-Type := ACCEPT ############################ clients.conf ####################### client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other # localhost isn't usually a NAS... } client 172.x.x.3 { secret = yetanotherpassword shortname = NagiosMonitoring } client 172.x.x.1 { secret = anotherpassword shortname = DFE-CORE } client 172.x.x.2 { secret = anotherpassword shortname = ROAMABOUT8400 } I'm testing from the 172.x.x.3, client. Currently I can get a MAC address to authenticate and reply with the the correct "radiusFilterID" in LDAP. I can also get an unknown MAC address to return an ACCEPT but I can't get it to return a default "Filter-ID". Putting the return string "Filter-Id := "Enterasys:version=1:policy=D-Unregistered" in the users file doesn't seem to work. I'll work on the 802.1x when I get the above working, but I want to use the sambaLMpassword or sambaNTpassword hashes that are already in the LDAP directory versus clear text userPassword for 802.1x. Thanks for your help. Kent L. Nasveschuk Systems Administrator Office 508 289-7263 Cell 508 524-7263 ---------------------------- Marine Biological Laboratory 7 MBL St. Woods Hole, MA 02543