Combining ntlm_auth and mac address verification in freeradius
Phil Mayers
p.mayers at imperial.ac.uk
Fri Oct 15 10:09:43 CEST 2010
On 10/15/2010 08:06 AM, Langen Mike wrote:
> Hi there.
>
> I’ve got the problem that I want to combine active directory
> authentication with mac address verification. So only user can log in
> which hardware is listed in a text file or similar.
>
> In the whole world wide web I didn’t find a hint how to combine multiple
> authentication methods in serial.
Really?
MAC "authentication" is really just a key/value lookup. You don't need
to "combine two types of authentication" - just do a lookup of user->mac
before doing mschap.
You haven't said, but I'm going to assume you're using 802.1x, with
PEAP/MS-CHAP via ntlm_auth.
In which case, you want something like this:
in eap.conf:
eap {
...
peap {
...
copy_request_to_tunnel = yes
}
}
in sites-enabled/inner-tunnel:
authorize {
...
# do e.g. an SQL lookup
update request {
Tmp-Integer-0 := "%{sql:select 1 from allowed where
username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'"
}
if (Tmp-Integer-0 == 1) {
# this combination is allowed
}
else {
# this one is not
reject
}
}
Obviously you'll need to have configured SQL and created the lookup
table for the above example to work. You could also do this with
"rlm_passwd", LDAP or even a "users" file. You'll need to be a bit more
specific about your requirements if you want advice on that.
# now lookup user/mac
>
> One possibility, but there I didn’t find anything at all, seems to be
> using the perl module. Is it possible to run a perl script before
> ntlm_auth will take place ?
>
> Thanks for your answer.
>
> Greetings from Switzerland.
>
> Mike
>
More information about the Freeradius-Users
mailing list