Hello I tried to set it up but i failed the virtual server now looks like: listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } authorize { preprocess # clean the Calling-Station-ID rewrite_calling_station_id if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { reject } else { # accept update control { Auth-Type := Accept } } } authenticate { Auth-Type ldap { ldap } } I tested with: radtest f0-1f-af-35-c8-10 f0-1f-af-35-c8-10 127.0.0.1 10 test123 (the mac address exists in LDAP as f0:1f:af:35:c8:10) the output on the server looks like this: Listening on auth address * port 1812 as server macauth Listening on acct address * port 1813 as server macauth Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 49440 Ready to process requests (0) Received Access-Request Id 126 from 127.0.0.1:36895 to 127.0.0.1:1812 length 103 (0) User-Name = 'f0-1f-af-35-c8-10' (0) User-Password = 'f0-1f-af-35-c8-10' (0) NAS-IP-Address = 192.168.1.1 (0) NAS-Port = 10 (0) Message-Authenticator = 0x2e1129946169764255df311101b1f418 (0) # Executing section authorize from file /etc/raddb/sites-enabled/mpimf-macauth (0) authorize { (0) [preprocess] = ok (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { ERROR: (0) Failed retrieving values required to evaluate condition (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy rewrite_calling_station_id = noop (0) if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") { ERROR: (0) String passed does not look like an LDAP URL (0) EXPAND%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))} (0) --> (0) if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") -> TRUE (0) if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") { (0) [reject] = reject (0) } # if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 126 from 127.0.0.1:1812 to 127.0.0.1:36895 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 126 with timestamp +10 Ready to process requests What have i done wrong? And additionally, how can i define that the LDAP query should only look in the "ou=hosts" on the LDAP server? Best, Thomas Am 15.04.15 04:03 nachm. schrieb Alan DeKok <aland@deployingradius.com>:
On Apr 15, 2015, at 8:12 AM, Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de> wrote:
I am new to RADIUS and i'd like to know how to setup a mac-based authentication for my clients.
There's a guide on the Wiki, but your setup is a bit different.
Here is what i have so far:
-freeradius 3.0.3 -/etc/raddb/clients.conf (setupped with the IPs of the NAS devices)
Now i'm unsure how to configure the mods-enabled/ldap configuration.
All the hosts are located in an OU named "hosts", the mac-address of each host has the attribute name "macAddress" within the host object (i.e cn=testdevice).
Figure out which LDAP query will return that macAddress. Try it with ldapsearch and sample MAC address. e.g. 00:01:02:03:04:05.
My virtual server in sites-enabled/macauth looks like this: ... # now authenticate against LDAP ldap
You don't want to do that. The normal LDAP processing is for *users* in LDAP. I don't think each host has a password and other user attributes in it. So don't use "ldap".
Instead, do:
if (!"%{ldap:QUERY}") { reject } update control { Auth-Type := Accept }
where QUERY is the LDAP query used to find the mac address. Use %{Calling-Station-Id} instead of the MAC address from the "ldapsearch" above.
The only issue here is that this configuration will do ONLY mac auth. All other authentication methods will fail. If that's what you want, fine.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html