Mac Auth against LDAP
Nikolaos Milas
nmilas at noa.gr
Fri Aug 23 18:04:00 CEST 2013
On 14/8/2013 2:39 μμ, Arran Cudbard-Bell wrote:
>> and in sites-enabled/default:
>>
>> authorize {
>> preprocess
>> chap
>> mschap
>> digest
>> suffix
> Do you need all these? Are you ever going to be doing chap/mschap/digest in the outer server?
First, thanks for the reply.
Second, sorry for the late answer but I only now managed to fully test
the setup.
As for the above methods, they were remnants from the default config, so
I just let them there (I am a newbie with FreeRadius).
The config now is:
server macauth {
authorize {
preprocess
rewrite_calling_station_id
ldap_macauth
if (!ok) {
reject
}
else {
# accept
update control {
Auth-Type := Accept
}
}
}
authenticate {
Auth-Type LDAP_MACAUTH {
ldap_macauth
}
}
preacct {
preprocess
acct_unique
}
accounting {
detail
exec
attr_filter.accounting_response
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}
Tests went fine and I am able to run MAC-Auth successfully on a Cisco
2960 over FreeRadius with LDAP backend! Thanks FreeRadius people!
I have 3 main virtual servers now: Default, eduroam (with an
eduroam-inner-tunnel) and macauth, working fine in parallel.
I would like to ask some customization-oriented questions (for MAC-Auth):
1. Can we somehow limit a host to connect to only a particular port/NAS
device based on data stored in LDAP attributes (or, respectively, in
flat files) and reject it otherwise?
2. Can we assign the client to a particular VLAN based on data stored
in LDAP attributes (or, respectively, in flat files)?
3. Can we configure in FreeRadius an auto email to an administrator
when there is a MAC-auth failure with the associated info (time, MAC
Address, NAS device, port)?
If the answer to any of the above is yes, any pointers to related docs
showing how to configure things (FreeRadius, Cisco Switches) would be
appreciated.
Please advise.
Thanks,
Nick
More information about the Freeradius-Users
mailing list