AW: Mac based auth

Hector.Ortiz at swisscom.com Hector.Ortiz at swisscom.com
Wed Nov 29 11:44:40 CET 2006


Hi, 

we have deployed an OpenSource MAC based solution which optionally tied to FreeRadius. With this you can have better control of the MAC addresses that you have in your network. 
- For non 802.1x capable devices, we have the option of using "VMPS" or performing a MAC-Auth-Bypass if your switch allows it. 
- For 802.1x we use FreeRadius 1.1.3 configured to authenticate the user against a Windows Domain controller and after checking the user credentials we check for the MAC address to assign the Vlan. 
- A virtual machine has been released with the software needed to make it easy to test. You only have to download it and configure it. We have a MySQL backend and a Windows GUI & Web GUI for administering the MAC addresses that automagically come into the database. Please go to http://www.freenac.net and let us know what you think of our system.

Regards,

Hector

-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+hector.ortiz=swisscom.com at lists.freeradius.org [mailto:freeradius-users-bounces+hector.ortiz=swisscom.com at lists.freeradius.org] Im Auftrag von Collen Blijenberg
Gesendet: Mittwoch, 29. November 2006 11:29
An: FreeRadius users mailing list
Betreff: Re: Mac based auth

Looks good, i was also wondering
if this could be done with mysql as backend ?!

Cheers, Collen

Phil Mayers wrote:
> jonr at destar.net wrote:
>>>> Could I also do:
>>>>
>>>> bob    password = "neil", Calling-Station-Id != "0001....", 
>>>> Auth-Type :=
>>> Reject
>>>> So that both pieces of information have to be present to be 
>>>> authenticated?
>>> No, that would always reject the user. You could do this:
>>>
>>> bob    Calling-Station-Id != "0001....", Auth-Type := Reject
>>>
>>> bob    User-Password := "neil"
>>
>> Well thats too easy. :)
>>
>>
>>> Can you instead use rlm_checkval like this:
>>>
>>> modules {
>>>    passwd user2allowedmacs {
>>>      filename = /etc/raddb/user2allowedmacs
>>>      format = "*User-Name:Calling-Station-Id"
>>>      hashsize = 100
>>>      allowmultiplekeys = yes
>>>    }
>>>    checkval usermacs {
>>>      item-name = Calling-Station-Id
>>>      check-name = Calling-Station-Id
>>>      data-type = string
>>>      notfound-reject = yes
>>>    }
>>> }
>>
>> Which file would the above be placed in and does it need to be placed 
>> in a certain area of the file or can it just be added to the bottom 
>> of the file? And
>
> It's a partial fragment of radiusd.conf - you would need to inspect 
> how the radiusd.conf hierarchial config works, and put the two module 
> definitions in along with anything else you need
>
>> when I see 'rlm_' I think realm which makes me think ldap or 
>> kerberos, neither of which I am using, will this be a problem?
>
> rlm == radius loadable module, nothing to do with realms (although 
> there is an rlm_realm for dealing with realms!)
>
>>
>>
>>> authorize {
>>>    preprocess
>>>    user2allowedmacs
>>>    usermacs
>>>    # other stuff
>>> }
>>
>> So whatever I name my module I will have to add to the authorize 
>> stanza in the radius.conf file, correct?
>
> Yep
>
>>
>>> /etc/raddb/user2allowedmacs:
>>>
>>> user1:001122334455
>>> user1:aabbccddeeff
>>> user2:0123456789ab
>>>
>>> ...I think that ought to work?
>>
>> Thanks for the info, this is gold!
>>
>> Jon
>> - List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list