Verify certificate <-> mac mapping in openldap..

Christ Schlacta lists at
Tue Dec 21 00:39:01 CET 2010

so I've done some research, looking at how freeradius works now, it 
manages to identify hostnames from certificates which are issued to a 
given host, blah blah blah.  suffice it to say when "lain" 
authenticates, it knows it's lain.  I want to make sure that lain's MAC 
address matches what I know lain's mac address to be.  more importantly, 
if lain's mac address isn't known, I'd like it to log the mac address 
(which it does now already) and NOT give an error.  Also, I'd like to be 
able to shove hosts into groups, such as "disabled".

I need advice on just what information needs to be stored in openldap, 
and just which changes need to be made to freeradius.

I've done a little independent research, and I think I can use a 
definition for a host as a "device" with a cn, and an "ieee802Device" 
with a mac address.  I can create a group of unique names, or is there 
some other mechanism I have to use for groups to work with freeradius?  
will this scheme work with freeradius?  is there some better, more 
established standard to store this mapping of hostname from certificate 
to mac address?

and last, but not least, what do I have to do to make sure that an 
absence of mac address doesn't trigger a failure, but the presence of a 
wrong mac address does?

More information about the Freeradius-Users mailing list