Mac Auth against LDAP`

Nikolaos Milas nmilas at noa.gr
Wed Aug 14 12:02:10 CEST 2013


Hi,

I am using FreeRadius v2.2.0 on CentOS 6.4 x86_64.

I am trying to adapt Plain Mac-Auth as described at: 
http://wiki.freeradius.org/guide/Mac-Auth to work work from LDAP.

(Note: The server is also used for eduroam and is going to be used for 
802.1x too.)

My setup follows below.

The questions:
--------------
1. Should I also define the value:
         # access_attr
...for correct results?

2. Can I test this using radtest (since I am not using user/password for 
this query)?

3. Any other suggestions?
--------------

The setup:

ldap ldap_macauth {
         server = "localhost"
         identity = "uid=binduser,ou=System,dc=example,dc=com"
         password = "bindpasswd"
         basedn = "ou=Nodes,dc=example,dc=com"
         filter = "(macAddress=%{Calling-Station-Id})"
         start_tls = no
         dictionary_mapping = ${raddbdir}/ldap.attrmap
         ldap_connections_number = 2
         timeout = 4
         timelimit = 3
         net_timeout = 1
}

and I have a test entry:

dn: cn=hostABC,ou=Nodes,dc=example,dc=com
cn: hostABC
macAddress: 00:24:8b:3c:d1:db
objectClass: device
objectClass: ieee802Device
objectClass: top
ou: tech
owner: uid=johndoe,ou=people,dc=example,dc=com
l: Main Site

I have preferred to set:

rewrite_calling_station_id {
         if (Calling-Station-Id =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
                 update request {
                         Calling-Station-Id := 
"%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"
                 }
         }
         else {
                 noop
         }
}

and in sites-enabled/default:

authorize {
         preprocess
         chap
         mschap
         digest
         suffix
         eap {
                 ok = return
         }
         files
         ldap_macauth
           if (!ok) {
               reject
           }
           else {
           # accept
               update control {
                 Auth-Type := Accept
               }
           }
         expiration
         logintime
         pap
}

Thanks and regards,
Nick



More information about the Freeradius-Users mailing list