MAC authorisation (but not authentication) via LDAP

Phil Mayers p.mayers at
Sun Feb 25 16:14:15 CET 2007

Markus Krause wrote:
> but what if the Auth-Type is not set, for example in a perl module  
> (btw. how can i set the auth-type? that would solve my problem here!).
> example:
> we (will) have a wlan which can be used by all our users known in ldap  
> and we have additional accounts saved in sql, which can be given to  
> guests by our departments and research groups, these accounts are then  
> valid for a fixed (preset) number of days since their first usage. to  
> check this i wrote a small perl script which works. so for  
> authorization i use in radiusd.conf:

I'm obviously not understanding what you're trying to do.

Auth-Type is meant solely to be a key that indicates to the server which 
module to call in the "authenticate" section to execute the 
authentication *algorithm*. The reason setting Auth-Type is so bad is 
that it breaks the ability for the server to correctly detect the 
algorithm and people don't understand why.

Disabling an account is not part of the authentication algorithm, and 
should happen in the authorize section (ideally by setting the 
Expiration attribute built into FreeRadius, but there are cases where 
that's not applicable)

I assume you're using the "mpi-sta" module to do something like:

if not USERNAME in firstseen:
     firstseen[USERNAME] = now
     if now - firstseen[USERNAME] > VALIDTIME:
         return reject

In which case they'll just get rejected during authorize and the mpi-sta 
module doesn't need to (and SHOULD NOT) appear in the authenticate section.

> ----- part of radiusd.conf
> authorization {
>          Autz-Type WLAN {
>                  group {
>                          mpi-sta {
>                                  ok = return
>                          }
>                          redundant {
>                                  LdapUser1
>                                  LdapUser2
>                          }
>                  }
>          }
> }
> authentication {
>          Auth-Type WLAN {
>                  mpi-sta {
>                          notfound = 1
>                  }
>                  redundant {
>                          LdapUser1
>                          LdapUser2
>                  }
>          }
> }
> ----
> the Auth-Type is set in users according to the huntgroup of the wlan-switch as
> the perl skript does not set auth-type (because i did not find any  
> documentation on how to set it) so i had to force auth-type to WLAN,  
> now it works.

It seems a very complicated way of doing something very simple - I 
assume I am misunderstanding you.

More information about the Freeradius-Users mailing list