simple mac-auth

[Mikko Husari]

Phil Mayers wrote:
> Mikko Husari wrote:
>   
>> Mikko Husari wrote:
>>     
>>> Hi!
>>>
>>> im currently running eap-tls with username and password (from ldap), but 
>>> now we're having a bunch of "stupid" wlan-client machines, and we need 
>>> an simple mac-auth (from ldap?) to the network. basic idea: (example 
>>> from outside world) "so, no certificate and login credentials, cant let 
>>> you in. but im on an vip-list!. Oh, i see, come on in, sorry for 
>>> inconvenience", for now we are happy to get just that to work, next 
>>> level would be something concerning vlans... i think (in the long run) 
>>> we don't want to have too much accessibility in those stupid machines. 
>>> poorly explained, not enough coffee in veins yet...
>>>
>>> thanks in advance
>>> - 
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>   
>>>       
>> Wouldn't i just be able to create  hints rule that says "if 
>> calling-station-id ==  xx-xx-xx-xx-xx permit access" , or something similar?
>>     
>
> Yes. Like I said, it's easy.
>
> My advice would be to use an rlm_passwd with a key of calling-station-id 
> and use the authtype value on the module instance to set to Accept.
>
> As I said, your AP still needs to support sending the MAC to Radius on 
> association. I suggest you consult your AP docs.
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   
well, i managed to do a "module" that it checks the file and returns 
ok/not found/noop, but now my problem is that how to do so that it 
authorizes me according to the maclist... at the moment it checks the 
eap-tls module... well, theres two section on that radiusd.conf, 
authenticate and authorize, i tried listing that maclist module in the 
last and it complained that passwd modules are not allowed in there...