Authorize access by MAC Address
I am intend to use FreeRadius to create a network access solution for managed mobile devices. Authentication will be using EAP-TLS with a trusted certificate, but the supplicant identity mapping attribute will be the WiFi adapter's MAC address. I have an LDAP directory with a customized schema that has an object for each managed device with an attribute, wiFiMAC, containing the MAC address and second attribute, deviceCompliance, containing the device's adjudicated policy compliance state. The access request authorization policy should allow access if the device object is found in the directory by MAC address, and deviceCompliance is 0. I've looked over the documentation for LDAP backend configuration, but it is heavy biased towards the authorize-by-user-identity use case. Are there any configuration examples for mapping identity using MAC address? Any examples for adding custom LDAP attributes for access-adjudication?
On Wed, 2019-10-23 at 23:44 +0000, Mike DiBella wrote:
The access request authorization policy should allow access if the device object is found in the directory by MAC address, and deviceCompliance is 0.
I've looked over the documentation for LDAP backend configuration, but it is heavy biased towards the authorize-by-user-identity use case.
The defaults check for the username, because that's what most people do.
Are there any configuration examples for mapping identity using MAC address? Any examples for adding custom LDAP attributes for access- adjudication?
It's all in mods-available/ldap. Update the user filter to match on something other than uid and %{Stripped-User-Name}, e.g. "(&(wiFiMAC=%{Calling-Station- Id})(deviceCompliance=0))" You can change the update{} section to copy any LDAP attributes into RADIUS attributes if you need them. -- Matthew
participants (2)
-
Matthew Newton -
Mike DiBella