On 10/15/2010 08:06 AM, Langen Mike wrote:
Hi there.
I’ve got the problem that I want to combine active directory authentication with mac address verification. So only user can log in which hardware is listed in a text file or similar.
In the whole world wide web I didn’t find a hint how to combine multiple authentication methods in serial.
Really? MAC "authentication" is really just a key/value lookup. You don't need to "combine two types of authentication" - just do a lookup of user->mac before doing mschap. You haven't said, but I'm going to assume you're using 802.1x, with PEAP/MS-CHAP via ntlm_auth. In which case, you want something like this: in eap.conf: eap { ... peap { ... copy_request_to_tunnel = yes } } in sites-enabled/inner-tunnel: authorize { ... # do e.g. an SQL lookup update request { Tmp-Integer-0 := "%{sql:select 1 from allowed where username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'" } if (Tmp-Integer-0 == 1) { # this combination is allowed } else { # this one is not reject } } Obviously you'll need to have configured SQL and created the lookup table for the above example to work. You could also do this with "rlm_passwd", LDAP or even a "users" file. You'll need to be a bit more specific about your requirements if you want advice on that. # now lookup user/mac
One possibility, but there I didn’t find anything at all, seems to be using the perl module. Is it possible to run a perl script before ntlm_auth will take place ?
Thanks for your answer.
Greetings from Switzerland.
Mike