Combining ntlm_auth and mac address verification in freeradius
Hi there. I've got the problem that I want to combine active directory authentication with mac address verification. So only user can log in which hardware is listed in a text file or similar. In the whole world wide web I didn't find a hint how to combine multiple authentication methods in serial. One possibility, but there I didn't find anything at all, seems to be using the perl module. Is it possible to run a perl script before ntlm_auth will take place ? Thanks for your answer. Greetings from Switzerland. Mike
On 10/15/2010 08:06 AM, Langen Mike wrote:
Hi there.
I’ve got the problem that I want to combine active directory authentication with mac address verification. So only user can log in which hardware is listed in a text file or similar.
In the whole world wide web I didn’t find a hint how to combine multiple authentication methods in serial.
Really? MAC "authentication" is really just a key/value lookup. You don't need to "combine two types of authentication" - just do a lookup of user->mac before doing mschap. You haven't said, but I'm going to assume you're using 802.1x, with PEAP/MS-CHAP via ntlm_auth. In which case, you want something like this: in eap.conf: eap { ... peap { ... copy_request_to_tunnel = yes } } in sites-enabled/inner-tunnel: authorize { ... # do e.g. an SQL lookup update request { Tmp-Integer-0 := "%{sql:select 1 from allowed where username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'" } if (Tmp-Integer-0 == 1) { # this combination is allowed } else { # this one is not reject } } Obviously you'll need to have configured SQL and created the lookup table for the above example to work. You could also do this with "rlm_passwd", LDAP or even a "users" file. You'll need to be a bit more specific about your requirements if you want advice on that. # now lookup user/mac
One possibility, but there I didn’t find anything at all, seems to be using the perl module. Is it possible to run a perl script before ntlm_auth will take place ?
Thanks for your answer.
Greetings from Switzerland.
Mike
Hi Phil. Thank you for your quick answer. That's exactly, what I need. Where do you get this information? It's really hard to retrieve usable information from wiki.freeradius.org... Is there a good resource for this kind of information? I do have difficulties to understand, how freeradius is processing a request and where I can hook my own logic into it. Cheers Mike -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+mike.langen=ofwi.ch@lists.freeradius.org [mailto:freeradius-users-bounces+mike.langen=ofwi.ch@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Freitag, 15. Oktober 2010 10:10 An: freeradius-users@lists.freeradius.org Betreff: Re: Combining ntlm_auth and mac address verification in freeradius On 10/15/2010 08:06 AM, Langen Mike wrote:
Hi there.
I've got the problem that I want to combine active directory authentication with mac address verification. So only user can log in which hardware is listed in a text file or similar.
In the whole world wide web I didn't find a hint how to combine multiple authentication methods in serial.
Really? MAC "authentication" is really just a key/value lookup. You don't need to "combine two types of authentication" - just do a lookup of user->mac before doing mschap. You haven't said, but I'm going to assume you're using 802.1x, with PEAP/MS-CHAP via ntlm_auth. In which case, you want something like this: in eap.conf: eap { ... peap { ... copy_request_to_tunnel = yes } } in sites-enabled/inner-tunnel: authorize { ... # do e.g. an SQL lookup update request { Tmp-Integer-0 := "%{sql:select 1 from allowed where username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'" } if (Tmp-Integer-0 == 1) { # this combination is allowed } else { # this one is not reject } } Obviously you'll need to have configured SQL and created the lookup table for the above example to work. You could also do this with "rlm_passwd", LDAP or even a "users" file. You'll need to be a bit more specific about your requirements if you want advice on that. # now lookup user/mac
One possibility, but there I didn't find anything at all, seems to be using the perl module. Is it possible to run a perl script before ntlm_auth will take place ?
Thanks for your answer.
Greetings from Switzerland.
Mike
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 15/10/10 10:13, Langen Mike wrote:
Hi Phil.
Thank you for your quick answer. That's exactly, what I need. Where do you get this information? It's really hard to retrieve usable information from wiki.freeradius.org...
Mainly accumulated knowledge.
Is there a good resource for this kind of information? I do have difficulties to understand, how freeradius is processing a request and where I can hook my own logic into it.
The docs that come with the server cover a lot of this; have a look in particular at: doc/aaa doc/module_interface doc/configurable_failover If these are unclear, please say how, so they can be improved! FreeRadius is really quite simple in principle; a radius request consists of a list of attribute/value pairs. The request is received and two more empty lists are created - the "config" and "reply" items. The request is passed through the "authorize" section, with each module altering the request/config/reply items and perhaps terminating the processing. The request is then passed through the "authenticate" section obeying the "Auth-Type" variable in the "config" item. Finally it's passed through the "post-auth" section. FreeRadius 2.x adds "if ()" statements as special modules so the processing can be condition (see "man unlang") but it's all just a chain of modules under the hood. Very clever & flexible! If you really want to understand the way it works, there's no substitute for slowly, carefully working through some config options, and watching the output from "radiusd -X". The best way is: 1. build/install freeradius 2. Put the /etc/raddb directory under version control 3. Run some test authentications using radclient or eapol_test 4. Commit the working config 5. Change *one* thing 6. goto 3 ;o)
Hi Phil. Thank you very much. That would do for now! Kind regards Mike -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+mike.langen=ofwi.ch@lists.freeradius.org [mailto:freeradius-users-bounces+mike.langen=ofwi.ch@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Freitag, 15. Oktober 2010 12:03 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: Combining ntlm_auth and mac address verification in freeradius On 15/10/10 10:13, Langen Mike wrote:
Hi Phil.
Thank you for your quick answer. That's exactly, what I need. Where do you get this information? It's really hard to retrieve usable information from wiki.freeradius.org...
Mainly accumulated knowledge.
Is there a good resource for this kind of information? I do have difficulties to understand, how freeradius is processing a request and where I can hook my own logic into it.
The docs that come with the server cover a lot of this; have a look in particular at: doc/aaa doc/module_interface doc/configurable_failover If these are unclear, please say how, so they can be improved! FreeRadius is really quite simple in principle; a radius request consists of a list of attribute/value pairs. The request is received and two more empty lists are created - the "config" and "reply" items. The request is passed through the "authorize" section, with each module altering the request/config/reply items and perhaps terminating the processing. The request is then passed through the "authenticate" section obeying the "Auth-Type" variable in the "config" item. Finally it's passed through the "post-auth" section. FreeRadius 2.x adds "if ()" statements as special modules so the processing can be condition (see "man unlang") but it's all just a chain of modules under the hood. Very clever & flexible! If you really want to understand the way it works, there's no substitute for slowly, carefully working through some config options, and watching the output from "radiusd -X". The best way is: 1. build/install freeradius 2. Put the /etc/raddb directory under version control 3. Run some test authentications using radclient or eapol_test 4. Commit the working config 5. Change *one* thing 6. goto 3 ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Langen Mike -
Phil Mayers