Verify certificate <-> mac mapping in openldap..

Christ Schlacta lists at
Tue Dec 21 23:03:52 CET 2010

I read most of what you said, and spend a few hours with the wifi "down 
for maintenance" while noone was on, and got it working.  it now 
authenticates macAddress == Calling-Station-ID when the mac is 
available, and doesn't fail when it's not available, and works when it 
is available.  There's only one thing I didn't think of that needs changing:

I want to be able to also say "If there's no rdn for this hostname (IE: 
user isn't found at all in the directory) then the auth should fail.  
there's no one entry that's guaranteed to exist though.  host, 
description, macAddress, and owner are all common, but every device is 
missing one or more of them :(  I can't think of any other way to ensure 
that a user is found

On 12/21/2010 01:37, Alan DeKok wrote:
> Christ Schlacta wrote:
>> so I've done some research, looking at how freeradius works now, it
>> manages to identify hostnames from certificates which are issued to a
>> given host, blah blah blah.  suffice it to say when "lain"
>> authenticates, it knows it's lain.  I want to make sure that lain's MAC
>> address matches what I know lain's mac address to be.  more importantly,
>> if lain's mac address isn't known, I'd like it to log the mac address
>> (which it does now already) and NOT give an error.  Also, I'd like to be
>> able to shove hosts into groups, such as "disabled".
>    That can be done.
>> I need advice on just what information needs to be stored in openldap,
>    MAC addresses?
>> and just which changes need to be made to freeradius.
>    You need to write down the exact set of steps required to implement
> the above policy.  What is in a packet?  How is that information used?
> Where are the known MAC addresses?  Where are the groups stored?  What
> information is used to look up the groups?
>    The overwhelming majority of issues people see when creating policies
> are due to poor specifications.  The more detailed the specification,
> the more successful you will be.
>> I've done a little independent research, and I think I can use a
>> definition for a host as a "device" with a cn, and an "ieee802Device"
>> with a mac address.  I can create a group of unique names, or is there
>> some other mechanism I have to use for groups to work with freeradius?
>    See the rlm_ldap documentation for how it handles groups.  They're
> usually based on User-Names.
>    If you want a *different* kind of grouping, you'll have to create it
> yourself.
>> will this scheme work with freeradius?  is there some better, more
>> established standard to store this mapping of hostname from certificate
>> to mac address?
>    Databases.  SQL, LDAP, whatever.  This isn't a RADIUS issue:
> Q: given X, how do I look up Y?
> A: put X and Y into a DB, and write a DB query to use X to look up Y.
>> and last, but not least, what do I have to do to make sure that an
>> absence of mac address doesn't trigger a failure, but the presence of a
>> wrong mac address does?
>    Write the policy for that.  The MAC address is stored in the
> Calling-Station-Id attribute.  So... "if the Calling-Station-Id exists,
> do MAC lookups.  Otherwise, don't"
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list