Verify certificate <-> mac mapping in openldap..

Alan DeKok aland at
Tue Dec 21 10:37:09 CET 2010

Christ Schlacta wrote:
> so I've done some research, looking at how freeradius works now, it
> manages to identify hostnames from certificates which are issued to a
> given host, blah blah blah.  suffice it to say when "lain"
> authenticates, it knows it's lain.  I want to make sure that lain's MAC
> address matches what I know lain's mac address to be.  more importantly,
> if lain's mac address isn't known, I'd like it to log the mac address
> (which it does now already) and NOT give an error.  Also, I'd like to be
> able to shove hosts into groups, such as "disabled".

  That can be done.

> I need advice on just what information needs to be stored in openldap,

  MAC addresses?

> and just which changes need to be made to freeradius.

  You need to write down the exact set of steps required to implement
the above policy.  What is in a packet?  How is that information used?
Where are the known MAC addresses?  Where are the groups stored?  What
information is used to look up the groups?

  The overwhelming majority of issues people see when creating policies
are due to poor specifications.  The more detailed the specification,
the more successful you will be.

> I've done a little independent research, and I think I can use a
> definition for a host as a "device" with a cn, and an "ieee802Device"
> with a mac address.  I can create a group of unique names, or is there
> some other mechanism I have to use for groups to work with freeradius?

  See the rlm_ldap documentation for how it handles groups.  They're
usually based on User-Names.

  If you want a *different* kind of grouping, you'll have to create it

> will this scheme work with freeradius?  is there some better, more
> established standard to store this mapping of hostname from certificate
> to mac address?

  Databases.  SQL, LDAP, whatever.  This isn't a RADIUS issue:

Q: given X, how do I look up Y?
A: put X and Y into a DB, and write a DB query to use X to look up Y.

> and last, but not least, what do I have to do to make sure that an
> absence of mac address doesn't trigger a failure, but the presence of a
> wrong mac address does?

  Write the policy for that.  The MAC address is stored in the
Calling-Station-Id attribute.  So... "if the Calling-Station-Id exists,
do MAC lookups.  Otherwise, don't"

  Alan DeKok.

More information about the Freeradius-Users mailing list