Mac Auth against LDAP

Nikolaos Milas nmilas at
Fri Aug 23 19:30:03 CEST 2013

On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:

> See ldap_xlat
> Use a query that searches for the value of NAS-IP-Address in the user object in a custom attribute.
> If the query expands to something other than a zero length string, the attribute exists.
> authorize {
> 	if ("%{ldap:<query>}" == '') {
> 		reject
> 	}
> }

Thanks Aran,

I'll focus on the 1st part for now.

I understand that the value of NAS-IP-Address (CheckItem) can be checked 
against '%{Packet-Src-IP-Address}'. Right?

    authorize {
    if ("%{ldap:<query>}" == '%{Packet-Src-IP-Address}') {
    # accept
    update control {
    Auth-Type := Accept
    else {

Is there a way to also check the port of the NAS being used by the host 
to connect as well (I guess the NAS should provide this info somehow 
during auth)?

Thanks again,

More information about the Freeradius-Users mailing list