I read most of what you said, and spend a few hours with the wifi "down for maintenance" while noone was on, and got it working. it now authenticates macAddress == Calling-Station-ID when the mac is available, and doesn't fail when it's not available, and works when it is available. There's only one thing I didn't think of that needs changing: I want to be able to also say "If there's no rdn for this hostname (IE: user isn't found at all in the directory) then the auth should fail. there's no one entry that's guaranteed to exist though. host, description, macAddress, and owner are all common, but every device is missing one or more of them :( I can't think of any other way to ensure that a user is found On 12/21/2010 01:37, Alan DeKok wrote:
Christ Schlacta wrote:
so I've done some research, looking at how freeradius works now, it manages to identify hostnames from certificates which are issued to a given host, blah blah blah. suffice it to say when "lain" authenticates, it knows it's lain. I want to make sure that lain's MAC address matches what I know lain's mac address to be. more importantly, if lain's mac address isn't known, I'd like it to log the mac address (which it does now already) and NOT give an error. Also, I'd like to be able to shove hosts into groups, such as "disabled". That can be done.
I need advice on just what information needs to be stored in openldap, MAC addresses?
and just which changes need to be made to freeradius. You need to write down the exact set of steps required to implement the above policy. What is in a packet? How is that information used? Where are the known MAC addresses? Where are the groups stored? What information is used to look up the groups?
The overwhelming majority of issues people see when creating policies are due to poor specifications. The more detailed the specification, the more successful you will be.
I've done a little independent research, and I think I can use a definition for a host as a "device" with a cn, and an "ieee802Device" with a mac address. I can create a group of unique names, or is there some other mechanism I have to use for groups to work with freeradius? See the rlm_ldap documentation for how it handles groups. They're usually based on User-Names.
If you want a *different* kind of grouping, you'll have to create it yourself.
will this scheme work with freeradius? is there some better, more established standard to store this mapping of hostname from certificate to mac address? Databases. SQL, LDAP, whatever. This isn't a RADIUS issue:
Q: given X, how do I look up Y? A: put X and Y into a DB, and write a DB query to use X to look up Y.
and last, but not least, what do I have to do to make sure that an absence of mac address doesn't trigger a failure, but the presence of a wrong mac address does? Write the policy for that. The MAC address is stored in the Calling-Station-Id attribute. So... "if the Calling-Station-Id exists, do MAC lookups. Otherwise, don't"
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html