husku at husku.net
Thu Feb 8 09:59:52 CET 2007
Phil Mayers wrote:
> Mikko Husari wrote:
>> Mikko Husari wrote:
>>> im currently running eap-tls with username and password (from ldap), but
>>> now we're having a bunch of "stupid" wlan-client machines, and we need
>>> an simple mac-auth (from ldap?) to the network. basic idea: (example
>>> from outside world) "so, no certificate and login credentials, cant let
>>> you in. but im on an vip-list!. Oh, i see, come on in, sorry for
>>> inconvenience", for now we are happy to get just that to work, next
>>> level would be something concerning vlans... i think (in the long run)
>>> we don't want to have too much accessibility in those stupid machines.
>>> poorly explained, not enough coffee in veins yet...
>>> thanks in advance
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> Wouldn't i just be able to create hints rule that says "if
>> calling-station-id == xx-xx-xx-xx-xx permit access" , or something similar?
> Yes. Like I said, it's easy.
> My advice would be to use an rlm_passwd with a key of calling-station-id
> and use the authtype value on the module instance to set to Accept.
> As I said, your AP still needs to support sending the MAC to Radius on
> association. I suggest you consult your AP docs.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
well, i managed to do a "module" that it checks the file and returns
ok/not found/noop, but now my problem is that how to do so that it
authorizes me according to the maclist... at the moment it checks the
eap-tls module... well, theres two section on that radiusd.conf,
authenticate and authorize, i tried listing that maclist module in the
last and it complained that passwd modules are not allowed in there...
More information about the Freeradius-Users