Mac Auth against LDAP`

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Aug 14 13:39:05 CEST 2013 

On 14 Aug 2013, at 11:02, Nikolaos Milas <nmilas at noa.gr> wrote:

> Hi,
> 
> I am using FreeRadius v2.2.0 on CentOS 6.4 x86_64.
> 
> I am trying to adapt Plain Mac-Auth as described at: http://wiki.freeradius.org/guide/Mac-Auth to work work from LDAP.
> 
> (Note: The server is also used for eduroam and is going to be used for 802.1x too.)
> 
> My setup follows below.
> 
> The questions:
> --------------
> 1. Should I also define the value:
>        # access_attr
> ...for correct results?

Sure if you want to have an attribute which enables/disables access?

> 
> 2. Can I test this using radtest (since I am not using user/password for this query)?
> 

Yes, use just the mac-address as the username and password

> 3. Any other suggestions?

Nope.

> --------------
> 
> The setup:
> 
> ldap ldap_macauth {
>        server = "localhost"
>        identity = "uid=binduser,ou=System,dc=example,dc=com"
>        password = "bindpasswd"
>        basedn = "ou=Nodes,dc=example,dc=com"
>        filter = "(macAddress=%{Calling-Station-Id})"
>        start_tls = no
>        dictionary_mapping = ${raddbdir}/ldap.attrmap
>        ldap_connections_number = 2
>        timeout = 4
>        timelimit = 3
>        net_timeout = 1
> }
> 
> and I have a test entry:
> 
> dn: cn=hostABC,ou=Nodes,dc=example,dc=com
> cn: hostABC
> macAddress: 00:24:8b:3c:d1:db
> objectClass: device
> objectClass: ieee802Device
> objectClass: top
> ou: tech
> owner: uid=johndoe,ou=people,dc=example,dc=com
> l: Main Site
> 
> I have preferred to set:
> 
> rewrite_calling_station_id {
>        if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
>                update request {
>                        Calling-Station-Id := "%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"
>                }
>        }
>        else {
>                noop
>        }
> }
> 

That's fine.

> and in sites-enabled/default:
> 
> authorize {
>        preprocess
>        chap
>        mschap
>        digest
>        suffix

Do you need all these? Are you ever going to be doing chap/mschap/digest in the outer server?

>        eap {
>                ok = return
>        }
>        files
>        ldap_macauth
>          if (!ok) {
>              reject
>          }
>          else {
>          # accept
>              update control {
>                Auth-Type := Accept
>              }
>          }

Yay for magic indentation.

>        expiration
>        logintime
>        pap
> }


-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list