Mac Auth against LDAP

Nikolaos Milas nmilas at noa.gr
Fri Aug 23 19:30:03 CEST 2013


On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:

> See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
>
> Use a query that searches for the value of NAS-IP-Address in the user object in a custom attribute.
>
> If the query expands to something other than a zero length string, the attribute exists.
>
> authorize {
> 	if ("%{ldap:<query>}" == '') {
> 		reject
> 	}
> }

Thanks Aran,

I'll focus on the 1st part for now.

I understand that the value of NAS-IP-Address (CheckItem) can be checked 
against '%{Packet-Src-IP-Address}'. Right?

    authorize {
    if ("%{ldap:<query>}" == '%{Packet-Src-IP-Address}') {
    # accept
    update control {
    Auth-Type := Accept
    }
    }
    else {
    reject
    }
    }

Is there a way to also check the port of the NAS being used by the host 
to connect as well (I guess the NAS should provide this info somehow 
during auth)?

Thanks again,
Nick




More information about the Freeradius-Users mailing list