Mac Auth against LDAP
Nikolaos Milas
nmilas at noa.gr
Sat Aug 24 11:00:08 CEST 2013
On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:
> It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that information.
Thanks Arran,
It was NAS-Port indeed. Strangely enough, this is not included either in
ldap.attrmap or the freeradius schema. Shouldn't it (and other
attributes missing from ldap.attrmap and freeradius schema but defined
in RFC 2865, like NAS-Port-Type) be included at least in future
FreeRadius releases? Or there is a particular reason for which they were
not included?
In any case, could I include the (desired) NAS-Port value in another
(seemingly unused) attribute of the FreeRadius Schema, like radiusHint
(which -if I understand right- has a suitable syntax: IA5 String), for
which I guess I should also add an entry in ldap.attrmap (because there
is no radiusHint attribute mapping therein), like:
checkItem NAS-Port radiusHint
...and then I could simply use my *exact current configuration* by
simply changing the ldap filter to:
filter =
"(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))"
...provided that I am storing the NAS (Cisco switch) IP address in
radiusNASIpAddress and radiusHint attributes respectively?
Would you agree in using radiusHint attribute for that purpose? If not,
any other? (I would like to avoid changing the freeradius schema by
adding attributes.)
Thanks and regards,
Nick
More information about the Freeradius-Users
mailing list