Mac Auth against LDAP

Nikolaos Milas nmilas at noa.gr
Sat Aug 24 11:00:08 CEST 2013


On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:

> It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that information.

Thanks Arran,

It was NAS-Port indeed. Strangely enough, this is not included either in 
ldap.attrmap or the freeradius schema. Shouldn't it (and other 
attributes missing from ldap.attrmap and freeradius schema but defined 
in RFC 2865, like NAS-Port-Type) be included at least in future 
FreeRadius releases? Or there is a particular reason for which they were 
not included?

In any case, could I include the (desired) NAS-Port value in another 
(seemingly unused) attribute of the FreeRadius Schema, like radiusHint 
(which -if I understand right- has a suitable syntax: IA5 String), for 
which I guess I should also add an entry in ldap.attrmap (because there 
is no radiusHint attribute mapping therein), like:

    checkItem NAS-Port      radiusHint

...and then I could simply use my *exact current configuration* by 
simply changing the ldap filter to:

filter = 
"(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))"

...provided that I am storing the NAS (Cisco switch) IP address in 
radiusNASIpAddress and radiusHint attributes respectively?

Would you agree in using radiusHint attribute for that purpose? If not, 
any other? (I would like to avoid changing the freeradius schema by 
adding attributes.)

Thanks and regards,
Nick



More information about the Freeradius-Users mailing list