MAC authorisation (but not authentication) via LDAP

Markus Krause krause at biochem.mpg.de
Sun Feb 25 01:14:08 CET 2007


Zitat von Martin Whinnery <martin.whinnery at sbc.ac.uk>:

> Hi.
>
> Probly just me not understanding...
>
> What I want is for our switches to only allow access to MAC addresses in
> our LDAP database.
>
> I don't want to store passwords on our LDAP host entries.
>
> I'm set up to check LDAP during authorisation, and it correctly returns
> authorised / not authorised depending on whether the appropriate
> attribute contains the right value.
>
> The trouble comes with authentication - either I set Auth-Type :=
> Accept, in which case and failed authorisation is overridden, or I allow
> authentication to carry on against LDAP ( or System, or whatever ), in
> which case it fails always and access is denied, even for authorised MACs.
>
> Is there a way to make the Authorisation part final and authoritative?
>
>
> As I say, probly just being stoopid.
>
>
> Mart
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> -
> List info/subscribe/unsubscribe? See   
> http://www.freeradius.org/list/users.html
>
don't no if it is a good solution, but i just do this by setting the  
following in radiusd.conf:

authenticate {
     ...
     Auth-Type LdapMAC {
        ok
     }
     ...
}

the Auth-Type is set in users file depending on huntgroups:

DEFAULT  Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC

i assume there are better/smarter sollutions as one can read "don't  
set Auth-Type" on many places but it works here ;-)

regards
   markus



+-----------------------------------------------------------------+
| Markus Krause, Mogli-Soft                                       |
| Support for Mac OS X, Webmail/Horde, LDAP, RADIUS               |
| by order of the                                                 |
|    Computing Center of the Max-Planck-Institute of Biochemistry |
+--------------------------------+--------------------------------+
| E-Mail: krause at biochem.mpg.de  |  Tel.: 089 - 89 40 85 99       |
|         markus.krause at mac.com  |  Fax.: 089 - 89 40 85 98       |
|  Skype: markus.krause          | iChat: markus.krause at mac.com   |
+--------------------------------+--------------------------------+



----------------------------------------------------------------------
      This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de






More information about the Freeradius-Users mailing list