MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses??
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Sun Dec 20 10:27:52 CET 2009
Hi,
> If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case?
for using AD - not without difficulty because it will want both bits. you could
use FreeRADIUS itself and a bit of unlang...for example.
if you really dont care about the actual MAC address? in which case you could
use unlang to check if its a MAC address ..and that its come from a particular group of
switches eg something like
authorise {
if("%{User-Name}" =~ /[0-9a-z]{12}/i && "%{Huntgroup-Name}" == "MAB-switches"){
update control {
Auth-Type := MAB
}
ok = return
}
}
authenticate {
Auth-Type MAB {
ok
}
}
you can then add the bits into unlang for post-auth for returning the correct VLAN.
with older MAB you could do simple User-Name == Cleartext-Password - but with MD5 now
in play I think you then enter the world of PERL or python on the FR box to deal with that.
PS my example was just roughly typed up - there may well be errors and it'll only work
if you've got eg
MAB-switches NAS-IP-Address == 172.16.1.4
MAB-switches NAS-IP-Address == 172.16.1.5
MAB-switches NAS-IP-Address == 172.16.1.6
in the raddb/huntgroups file (and ensure preprocess module is called before the unlang
in authorise section!
alan
More information about the Freeradius-Users
mailing list