Mac based auth
Phil Mayers
p.mayers at imperial.ac.uk
Tue Nov 28 18:59:02 CET 2006
jonr at destar.net wrote:
> Quoting Alan DeKok <aland at deployingradius.com>:
>
>
>> And yes, I cover all of this in my
>> book, which will be done real soon now...
>
> This is the book I am waiting to read. The O'Reilly book is a good primer but
> really doesn't get to the meat of what Radius can do.
>
>
>> You can do:
>>
>> bob Calling-Station-Id != "0001....", Auth-Type := Reject
>>
>
> Could I also do:
>
> bob password = "neil", Calling-Station-Id != "0001....", Auth-Type := Reject
>
> So that both pieces of information have to be present to be authenticated?
No, that would always reject the user. You could do this:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
bob User-Password := "neil"
Can you instead use rlm_checkval like this:
modules {
passwd user2allowedmacs {
filename = /etc/raddb/user2allowedmacs
format = "*User-Name:Calling-Station-Id"
hashsize = 100
allowmultiplekeys = yes
}
checkval usermacs {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = yes
}
}
authorize {
preprocess
user2allowedmacs
usermacs
# other stuff
}
/etc/raddb/user2allowedmacs:
user1:001122334455
user1:aabbccddeeff
user2:0123456789ab
...I think that ought to work?
More information about the Freeradius-Users
mailing list