On 14/8/2013 2:39 μμ, Arran Cudbard-Bell wrote:
and in sites-enabled/default:
authorize { preprocess chap mschap digest suffix Do you need all these? Are you ever going to be doing chap/mschap/digest in the outer server?
First, thanks for the reply. Second, sorry for the late answer but I only now managed to fully test the setup. As for the above methods, they were remnants from the default config, so I just let them there (I am a newbie with FreeRadius). The config now is: server macauth { authorize { preprocess rewrite_calling_station_id ldap_macauth if (!ok) { reject } else { # accept update control { Auth-Type := Accept } } } authenticate { Auth-Type LDAP_MACAUTH { ldap_macauth } } preacct { preprocess acct_unique } accounting { detail exec attr_filter.accounting_response } session { } post-auth { } pre-proxy { } post-proxy { } } Tests went fine and I am able to run MAC-Auth successfully on a Cisco 2960 over FreeRadius with LDAP backend! Thanks FreeRadius people! I have 3 main virtual servers now: Default, eduroam (with an eduroam-inner-tunnel) and macauth, working fine in parallel. I would like to ask some customization-oriented questions (for MAC-Auth): 1. Can we somehow limit a host to connect to only a particular port/NAS device based on data stored in LDAP attributes (or, respectively, in flat files) and reject it otherwise? 2. Can we assign the client to a particular VLAN based on data stored in LDAP attributes (or, respectively, in flat files)? 3. Can we configure in FreeRadius an auto email to an administrator when there is a MAC-auth failure with the associated info (time, MAC Address, NAS device, port)? If the answer to any of the above is yes, any pointers to related docs showing how to configure things (FreeRadius, Cisco Switches) would be appreciated. Please advise. Thanks, Nick