MAC authorisation (but not authentication) via LDAP
Phil Mayers
p.mayers at imperial.ac.uk
Sun Feb 25 01:20:25 CET 2007
Markus Krause wrote:
> don't no if it is a good solution, but i just do this by setting the
> following in radiusd.conf:
>
> authenticate {
> ...
> Auth-Type LdapMAC {
> ok
> }
> ...
> }
>
> the Auth-Type is set in users file depending on huntgroups:
>
> DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
>
> i assume there are better/smarter sollutions as one can read "don't
> set Auth-Type" on many places but it works here ;-)
Sorry, but it's an awful suggestion. Don't do it, and certainly don't
recommend others do it. There's no need to go setting Auth-Type to
random values.
The correct way to do this is to reject unknown, not blindly accept known.
Example - you could modify the ldap group membership query to find
groups based on both the username and callingstationid:
groupmembership_filter = "(|
(&(objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id}))
(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
)"
Then in "ldap":
dn: cn=GoodMacs,dc=example,dc=com
objectClass: top
objectClass: GroupOfMacadds
member: 00:11:22:33:44:55
member: 66:77:88:99:aa:bb
Then in the "users" file:
DEFAULT Ldap-Group == "GoodMacs"
Fall-Through = No
DEFAULT Auth-Type := Reject
Reply-Message = "your mac is unknown"
There are lots of variations of this scheme.
More information about the Freeradius-Users
mailing list