Mac based auth

[Phil Mayers]

jonr at destar.net wrote:
>>> Could I also do:
>>>
>>> bob	password = "neil", Calling-Station-Id != "0001....", Auth-Type :=
>> Reject
>>> So that both pieces of information have to be present to be authenticated?
>> No, that would always reject the user. You could do this:
>>
>> bob	Calling-Station-Id != "0001....", Auth-Type := Reject
>>
>> bob	User-Password := "neil"
> 
> Well thats too easy. :)
> 
> 
>> Can you instead use rlm_checkval like this:
>>
>> modules {
>>    passwd user2allowedmacs {
>>      filename = /etc/raddb/user2allowedmacs
>>      format = "*User-Name:Calling-Station-Id"
>>      hashsize = 100
>>      allowmultiplekeys = yes
>>    }
>>    checkval usermacs {
>>      item-name = Calling-Station-Id
>>      check-name = Calling-Station-Id
>>      data-type = string
>>      notfound-reject = yes
>>    }
>> }
> 
> Which file would the above be placed in and does it need to be placed in a
> certain area of the file or can it just be added to the bottom of the file? And

It's a partial fragment of radiusd.conf - you would need to inspect how 
the radiusd.conf hierarchial config works, and put the two module 
definitions in along with anything else you need

> when I see 'rlm_' I think realm which makes me think ldap or kerberos, neither
> of which I am using, will this be a problem?

rlm == radius loadable module, nothing to do with realms (although there 
is an rlm_realm for dealing with realms!)

> 
> 
>> authorize {
>>    preprocess
>>    user2allowedmacs
>>    usermacs
>>    # other stuff
>> }
> 
> So whatever I name my module I will have to add to the authorize stanza in the
> radius.conf file, correct?

Yep

> 
>> /etc/raddb/user2allowedmacs:
>>
>> user1:001122334455
>> user1:aabbccddeeff
>> user2:0123456789ab
>>
>> ...I think that ought to work?
> 
> Thanks for the info, this is gold!
> 
> Jon
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html