Freeradius 2.1.10: authentication (uid and password) or (macaddress) in LDAP
Hello, somebody can tell me how I should configure freeradius to authenticate in order (all is in openldap): check mac-address in ldap if exist authenticate computer else authenticate with uid/password or try authenticate using macaddress if rejected - try authenticate via uid/password -- Regards Maciej Łukasz Wojszkun [MWO]
Maciej ??ukasz Wojszkun <maciej.wojszkun@blstream.com> wrote:
somebody can tell me how I should configure freeradius to authenticate in order (all is in openldap):
check mac-address in ldap if exist authenticate computer else authenticate with uid/password
or
try authenticate using macaddress if rejected - try authenticate via uid/password
The complication comes in as the initial authentication can be an EAP (802.1X) or a MAC-auth request. You cannot do MAC-auth on an EAP request and pass back Access-Accept immediently...the client will get confused and probably just keep hammering your RADIUS server to authenticate. On a wired socket, with Cisco kit at least, you do get the option to try a MAC-auth first, and if the RADIUS server comes back with Access-Reject then the switch will move into 802.1X which works *very* well. You have not stated if you want to do this on a wired or wireless connection. You have not actually stated if 802.1X is even involved and that this could just be a web portal. At my workplace (a medium sized university) we store all our MAC addresses in LDAP and it works well for us. If the MAC address is not 'registered' then the client has to use an 802.1X authentication. Cheers -- Alexander Clouter .sigmonster says: When you don't know what to do, walk fast and look worried.
Hello, W dniu 7/7/11 9:26 PM, Alexander Clouter pisze:
Maciej ??ukasz Wojszkun <maciej.wojszkun@blstream.com> wrote:
(..)
On a wired socket, with Cisco kit at least, you do get the option to try a MAC-auth first, and if the RADIUS server comes back with Access-Reject then the switch will move into 802.1X which works *very* well.
Right, I didn't described problem clearly. I need to configure Radius to work as you talk. Can you give me some hint, where and how should I done this?
(...) At my workplace (a medium sized university) we store all our MAC addresses in LDAP and it works well for us. If the MAC address is not 'registered' then the client has to use an 802.1X authentication.
-- Regards Maciej Łukasz Wojszkun [MWO] BLStream Sp. z o.o. mobile: +48 698611234
participants (2)
-
Alexander Clouter -
Maciej Łukasz Wojszkun