Freeradius 2.1.10: authentication (uid and password) or (macaddress)?in LDAP
Alexander Clouter
alex at digriz.org.uk
Thu Jul 7 21:26:38 CEST 2011
Maciej ??ukasz Wojszkun <maciej.wojszkun at blstream.com> wrote:
>
> somebody can tell me how I should configure freeradius to authenticate
> in order (all is in openldap):
>
> check mac-address in ldap
> if exist
> authenticate computer
> else
> authenticate with uid/password
>
> or
>
> try authenticate using macaddress
> if rejected - try authenticate via uid/password
>
The complication comes in as the initial authentication can be an EAP
(802.1X) or a MAC-auth request. You cannot do MAC-auth on an EAP
request and pass back Access-Accept immediently...the client will get
confused and probably just keep hammering your RADIUS server to
authenticate.
On a wired socket, with Cisco kit at least, you do get the option to try
a MAC-auth first, and if the RADIUS server comes back with Access-Reject
then the switch will move into 802.1X which works *very* well.
You have not stated if you want to do this on a wired or wireless
connection. You have not actually stated if 802.1X is even involved and
that this could just be a web portal.
At my workplace (a medium sized university) we store all our MAC
addresses in LDAP and it works well for us. If the MAC address is not
'registered' then the client has to use an 802.1X authentication.
Cheers
--
Alexander Clouter
.sigmonster says: When you don't know what to do, walk fast and look worried.
More information about the Freeradius-Users
mailing list