Binding MAC address with username
Hello, For my setup, I'd like to bind a MAC address to a specific user when it first login. For exemple, user 1 connects from computer 00:11:22:33:44:55. I'd like the system to remember this MAC address, so that the next time the user reuses this same computer, it does not asks to connect again. This way, the users would rather be the mac addresses. Another solution I think would be to store the MAC address as a new user in the same group as user 1. Which way would be the best? Thanks, Acrilex
On Dec 20, 2016, at 8:47 PM, Alexandre Croteau <alextyhero123@live.ca> wrote:
For my setup, I'd like to bind a MAC address to a specific user when it first login. For exemple, user 1 connects from computer 00:11:22:33:44:55. I'd like the system to remember this MAC address, so that the next time the user reuses this same computer, it does not asks to connect again.
What does that mean? The switch will always do RADIUS for authentication. There is no way to tell the switch to bypass RADIUS.
This way, the users would rather be the mac addresses. Another solution I think would be to store the MAC address as a new user in the same group as user 1.
You're talking about a solution, and how best to implement the solution. Talk instead about the problem. In concrete terms. What does the switch do? When does it do that? What does the user do? When / why? You don't have a good grasp of what the switch / RADIUS server does. As a result, your questions are based on incorrect assumptions. There's no real way to answer your questions as-is, because the assumptions are incorrect. Alan DeKok.
Sorry for not being clear, here is a better explaination. My setup is a captive portal (CoovaChilli) with FreeRADIUS and mysql. My users are pre-stored in the RADIUS database. What I'd like to do is that on the first time a user connect from a new device, that device's MAC address is binded to the username. This way, whenever the user reconnects to the network, it would just try to authenticate using the MAC adress, if possible without the user's interaction. I also use the DHCP module of FreeRadius in order to assign a specific subnet for a user group. This way, the user is in a group and gets an IP address specific to this group. The whole point of doing this is to redirect the traffic through a Squid proxy and filter by ip ranges. This way, a user logs in the first time it connects to the network. Then, the traffic is filtered according to the user's group (actually school class) Hope it makes things clear, Acrilex
Le 20 déc. 2016 à 21:42, Alan DeKok <aland@deployingradius.com> a écrit :
On Dec 20, 2016, at 8:47 PM, Alexandre Croteau <alextyhero123@live.ca> wrote:
For my setup, I'd like to bind a MAC address to a specific user when it first login. For exemple, user 1 connects from computer 00:11:22:33:44:55. I'd like the system to remember this MAC address, so that the next time the user reuses this same computer, it does not asks to connect again.
What does that mean?
The switch will always do RADIUS for authentication. There is no way to tell the switch to bypass RADIUS.
This way, the users would rather be the mac addresses. Another solution I think would be to store the MAC address as a new user in the same group as user 1.
You're talking about a solution, and how best to implement the solution.
Talk instead about the problem. In concrete terms. What does the switch do? When does it do that? What does the user do? When / why?
You don't have a good grasp of what the switch / RADIUS server does. As a result, your questions are based on incorrect assumptions. There's no real way to answer your questions as-is, because the assumptions are incorrect.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry for not being clear, here is a better explaination. My setup is a captive portal (CoovaChilli) with FreeRADIUS and mysql. My users are pre-stored in the RADIUS database. What I'd like to do is that on the first time a user connect from a new device, that device's MAC address is binded to the username. This way, whenever the user reconnects to the network, it would just try to authenticate using the MAC adress, if possible without the user's interaction. I also use the DHCP module of FreeRadius in order to assign a specific subnet for a user group. This way, the user is in a group and gets an IP address specific to this group.
The whole point of doing this is to redirect the traffic through a Squid proxy and filter by ip ranges. This way, a user logs in the first time it connects to the network. Then, the traffic is filtered according to the user's group (actually school class)
So, in pseudo code: In the authorize section, execute sql query "Select username from table where MAC_Address like 'mac address'" If the result is empty, then you need to bind it. If it is not, you have a mapping and you will need to check that the usernames match. If they do, Access-Accept is sent, if not, Access-Reject. If you use EAP authentication, you'll have to do this in the inner-tunnel. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Thanks! I understood the logic, but I tought there was an integrated way to do so. I think I will simply call a python script to do the verification. Acrilex Le 21 déc. 2016 à 07:25, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> a écrit :
Sorry for not being clear, here is a better explaination. My setup is a captive portal (CoovaChilli) with FreeRADIUS and mysql. My users are pre-stored in the RADIUS database. What I'd like to do is that on the first time a user connect from a new device, that device's MAC address is binded to the username. This way, whenever the user reconnects to the network, it would just try to authenticate using the MAC adress, if possible without the user's interaction. I also use the DHCP module of FreeRadius in order to assign a specific subnet for a user group. This way, the user is in a group and gets an IP address specific to this group.
The whole point of doing this is to redirect the traffic through a Squid proxy and filter by ip ranges. This way, a user logs in the first time it connects to the network. Then, the traffic is filtered according to the user's group (actually school class)
So, in pseudo code:
In the authorize section, execute sql query "Select username from table where MAC_Address like 'mac address'"
If the result is empty, then you need to bind it. If it is not, you have a mapping and you will need to check that the usernames match. If they do, Access-Accept is sent, if not, Access-Reject.
If you use EAP authentication, you'll have to do this in the inner-tunnel.
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks! I understood the logic, but I tought there was an integrated way to do so. I think I will simply call a python script to do the verification.
There is. You can use unlang[1] to do some of this, as well as using the xlat engine, i.e. "%{sql:SELECT username from ...}"[2] [1] http://freeradius.org/radiusd/man/unlang.html [2] https://wiki.freeradius.org/modules/Rlm_sql Do note though that the actual account linking to the MAC address probably should *not* be done in FreeRADIUS... Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
participants (3)
-
Alan DeKok -
Alexandre Croteau -
Stefan Paetow