Markus Krause wrote:
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf:
authenticate { ... Auth-Type LdapMAC { ok } ... }
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-)
Sorry, but it's an awful suggestion. Don't do it, and certainly don't recommend others do it. There's no need to go setting Auth-Type to random values. The correct way to do this is to reject unknown, not blindly accept known. Example - you could modify the ldap group membership query to find groups based on both the username and callingstationid: groupmembership_filter = "(| (&(objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id})) (&(objectClass=GroupOfNames)(member=%{Ldap-UserDn})) )" Then in "ldap": dn: cn=GoodMacs,dc=example,dc=com objectClass: top objectClass: GroupOfMacadds member: 00:11:22:33:44:55 member: 66:77:88:99:aa:bb Then in the "users" file: DEFAULT Ldap-Group == "GoodMacs" Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = "your mac is unknown" There are lots of variations of this scheme.