Mac Auth against LDAP

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Aug 23 20:19:32 CEST 2013


On 23 Aug 2013, at 18:30, Nikolaos Milas <nmilas at noa.gr> wrote:

> On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
> 
>> See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
>> 
>> Use a query that searches for the value of NAS-IP-Address in the user object in a custom attribute.
>> 
>> If the query expands to something other than a zero length string, the attribute exists.
>> 
>> authorize {
>> 	if ("%{ldap:<query>}" == '') {
>> 		reject
>> 	}
>> }
> 
> Thanks Aran,
> 
> I'll focus on the 1st part for now.
> 
> I understand that the value of NAS-IP-Address (CheckItem)
> can be checked against '%{Packet-Src-IP-Address}'. Right?

You could check they're the same... yes.

If you want to retrieve the single authorized NAS a device is allowed to connect to, and then check it against Packet-Src-IP-Address then you could do it with the query below.

>   authorize {
>   if ("%{ldap:<query>}" == '%{Packet-Src-IP-Address}') {
>   # accept
>   update control {
>   Auth-Type := Accept
>   }
>   }
>   else {
>   reject
>   }
>   }
> 
> Is there a way to also check the port of the NAS being used by the host to connect as well (I guess the NAS should provide this info somehow during auth)?

Run freeradius with -X, see what attributes are being sent.

It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that information.

-Arran


More information about the Freeradius-Users mailing list