simple mac-auth

Mikko Husari husku at
Thu Feb 8 09:59:52 CET 2007

Phil Mayers wrote:
> Mikko Husari wrote:
>> Mikko Husari wrote:
>>> Hi!
>>> im currently running eap-tls with username and password (from ldap), but 
>>> now we're having a bunch of "stupid" wlan-client machines, and we need 
>>> an simple mac-auth (from ldap?) to the network. basic idea: (example 
>>> from outside world) "so, no certificate and login credentials, cant let 
>>> you in. but im on an vip-list!. Oh, i see, come on in, sorry for 
>>> inconvenience", for now we are happy to get just that to work, next 
>>> level would be something concerning vlans... i think (in the long run) 
>>> we don't want to have too much accessibility in those stupid machines. 
>>> poorly explained, not enough coffee in veins yet...
>>> thanks in advance
>>> - 
>>> List info/subscribe/unsubscribe? See
>> Wouldn't i just be able to create  hints rule that says "if 
>> calling-station-id ==  xx-xx-xx-xx-xx permit access" , or something similar?
> Yes. Like I said, it's easy.
> My advice would be to use an rlm_passwd with a key of calling-station-id 
> and use the authtype value on the module instance to set to Accept.
> As I said, your AP still needs to support sending the MAC to Radius on 
> association. I suggest you consult your AP docs.
> - 
> List info/subscribe/unsubscribe? See
well, i managed to do a "module" that it checks the file and returns 
ok/not found/noop, but now my problem is that how to do so that it 
authorizes me according to the maclist... at the moment it checks the 
eap-tls module... well, theres two section on that radiusd.conf, 
authenticate and authorize, i tried listing that maclist module in the 
last and it complained that passwd modules are not allowed in there...

More information about the Freeradius-Users mailing list