Storing user MAC address after first auth

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu May 7 13:30:21 CEST 2009


On 7/5/09 10:18, Tomas Mecir wrote:
> Greetings !
>
> I have the following situation here that I'd like to ask for some
> assistance with, if possible:
>
> My client has a RADIUS server installed (running freeRADIUS 2.0.5),
> and routers working as hotspots that users can connect to. Users can
> authorize against the RADIUS server using a name/password combination,
> which is stored in a MySQL database (using the rlm_sql module and the
> Cleartext-Password attribute in the radcheck table). This part works
> correctly.
>
> Now, my client wants an extra check to be added which would allow each
> user to login only from a specific MAC address, which can be different
> for each user, and which is obtained when the user logs in for the
> first time. Checking the MAC address is easy, as the hotspot is
> sending the MAC address in the Calling-Station-Id attribute that I
> could easily store in the radcheck table as well - but the problem is
> that this MAC address is not known when the name/password pair is
> being added to the radcheck table, and I am to make it so that when
> the user is successfully authorized for the first time, there is no
> MAC check, but the user's current MAC address is remembered on the
> server, and further logins are only permitted from that MAC address.
>
> So, I am thinking that the best solution would be to have the RADIUS
> server add a new "(username), 'Calling-Station-Id', '=', (user's MAC)"
> entry to the radcheck table, right after a successful SQL auth step,
> if such an entry isn't yet in the table.
>
> And my question is - is there a way to accomplish this with existing
> FreeRADIUS modules, or do I need to implement my own module to do this
> ?

You can do it with the policy language. But you'll need to upgrade to 
the latest version of the server.

I've attached an example (so my mail client doesn't wrap it). Make sure 
you've defined always instances 'noop' and 'updated'.


Regards,
Arran
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: unlang_snippet.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090507/da6e8e91/attachment.txt>


More information about the Freeradius-Users mailing list