AW: AW: MAC authentification
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Wed Oct 22 13:12:46 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
The scheme used almost universally for Mac-Based authentication is
User-Name == Calling-Station-ID, unfortunately the format of the two mac
addresses often differ.
Here are the examples from our configuration to perform mac-based
authorisation.
- ---
authorize {
# Rewrite called station id attributes into a standard format.
if("%{Calling-Station-Id}" =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}"
}
}
if("%{User-Name}" =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}"
}
}
if("%{User-Name}" =~ /^%{Calling-Station-Id}$/i){
update control {
Autz-Type = 'mac-based'
}
}
# Authorisation based on mac address
Autz-Type mac-based {
# This is where you do your authorisation checks
update control {
Auth-Type := 'Accept'
}
}
}
- ---
No you don't need passwords, you force the server to send an
Access-Accept or Access-Reject packet based on your authorisation
policies for certain Mac-Addresses.
Thanks,
Arran
- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj/Cq4ACgkQcaklux5oVKL03ACeNVBkJOkyrnhNtjD+W23Mp8YX
78cAnRgNFEfsewQgPl9WaAO3fQ9btzym
=dPsK
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list