Mac Auth against LDAP`
Nikolaos Milas
nmilas at noa.gr
Wed Aug 14 12:02:10 CEST 2013
Hi,
I am using FreeRadius v2.2.0 on CentOS 6.4 x86_64.
I am trying to adapt Plain Mac-Auth as described at:
http://wiki.freeradius.org/guide/Mac-Auth to work work from LDAP.
(Note: The server is also used for eduroam and is going to be used for
802.1x too.)
My setup follows below.
The questions:
--------------
1. Should I also define the value:
# access_attr
...for correct results?
2. Can I test this using radtest (since I am not using user/password for
this query)?
3. Any other suggestions?
--------------
The setup:
ldap ldap_macauth {
server = "localhost"
identity = "uid=binduser,ou=System,dc=example,dc=com"
password = "bindpasswd"
basedn = "ou=Nodes,dc=example,dc=com"
filter = "(macAddress=%{Calling-Station-Id})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 2
timeout = 4
timelimit = 3
net_timeout = 1
}
and I have a test entry:
dn: cn=hostABC,ou=Nodes,dc=example,dc=com
cn: hostABC
macAddress: 00:24:8b:3c:d1:db
objectClass: device
objectClass: ieee802Device
objectClass: top
ou: tech
owner: uid=johndoe,ou=people,dc=example,dc=com
l: Main Site
I have preferred to set:
rewrite_calling_station_id {
if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
"%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"
}
}
else {
noop
}
}
and in sites-enabled/default:
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
ldap_macauth
if (!ok) {
reject
}
else {
# accept
update control {
Auth-Type := Accept
}
}
expiration
logintime
pap
}
Thanks and regards,
Nick
More information about the Freeradius-Users
mailing list