(Solved) Re: MAC authorisation (but not authentication) via LDAP
Martin Whinnery
martin.whinnery at sbc.ac.uk
Sun Feb 25 21:05:09 CET 2007
Martin Whinnery wrote:
> Markus Krause wrote:
>
>> Zitat von Martin Whinnery <martin.whinnery at sbc.ac.uk>:
>>
>>
>>
>>> Hi.
>>>
>>> Probly just me not understanding...
>>>
>>> What I want is for our switches to only allow access to MAC addresses in
>>> our LDAP database.
>>>
>>> I don't want to store passwords on our LDAP host entries.
>>>
>>> I'm set up to check LDAP during authorisation, and it correctly returns
>>> authorised / not authorised depending on whether the appropriate
>>> attribute contains the right value.
>>>
>>> The trouble comes with authentication - either I set Auth-Type :=
>>> Accept, in which case and failed authorisation is overridden, or I allow
>>> authentication to carry on against LDAP ( or System, or whatever ), in
>>> which case it fails always and access is denied, even for authorised MACs.
>>>
>>> Is there a way to make the Authorisation part final and authoritative?
>>>
>>>
>>> As I say, probly just being stoopid.
>>>
>>>
>>> Mart
>>>
>>>
>>>
>>>
>> don't no if it is a good solution, but i just do this by setting the
>> following in radiusd.conf:
>>
>> authenticate {
>> ...
>> Auth-Type LdapMAC {
>> ok
>> }
>> ...
>> }
>>
>> the Auth-Type is set in users file depending on huntgroups:
>>
>> DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
>>
>> i assume there are better/smarter sollutions as one can read "don't
>> set Auth-Type" on many places but it works here ;-)
>>
>> regards
>> markus
>>
>>
>>
> Thanks Markus,
>
> the problem seems to be that the authorisation pass returns "notfound",
> whereas I want it to "reject", as if it found an entry in LDAP without
> the appropriate attribute.
>
> Mart
>
>
This was exactly the problem. What I've done is created an exec module,
which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning
non-zero if there's a match. So authorization *fails* rather than
succeeds with 'not found'.
I think.
Anyway, it works.
Thanks for all your help.
Mart
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Freeradius-Users
mailing list