Mac Auth against LDAP

Nikolaos Milas nmilas at noa.gr
Mon Aug 26 10:07:00 CEST 2013 

On 24/8/2013 12:00 μμ, Nikolaos Milas wrote:

> ...and then I could simply use my *exact current configuration* by 
> simply changing the ldap filter to:
>
> filter = 
> "(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))"

I tested this and it works. (Yet, please respond to the questions on my 
earlier mails.)

Now, I am thinking of an extended (MAC-Auth) "policy" (rule set) like:

Rule 1: If in the LDAP host entry we have included a radiusNASIpAddress 
value AND a radiusHint value, then authorize based on all, otherwise 
reject. (No mobility allowed)
Rule 2: If in the LDAP host entry we have included only a 
radiusNASIpAddress value, then authorize based only on it, otherwise 
reject. (NAS-mobility)
Rule 3: If in the LDAP host entry we have included NEITHER a 
radiusNASIpAddress value NOR a radiusHint value, then authorize based 
only on the MAC Address. (Full Mobility)

QUESTION 1: Is it legitimate to set up the above policy as follows?

server macauth {

   authorize {
         preprocess

rewrite_calling_station_id

         if 
(%{ldap_macauth:ldap:///ou=Nodes,dc=example,dc=com?radiusHint?sub?radiusHint=*} 

            and 
%{ldap_macauth:ldap:///ou=Nodes,dc=example,dc=com?radiusNASIpAddress?sub?radiusNASIpAddress=*}) 
{
ldap_macauth
             if (ok) {
update control {
Auth-Type := Accept
               }
             }
                       }
         else if 
(%{ldap_macauth_NAS_only:ldap:///ou=Nodes,dc=example,dc=com?radiusNASIpAddress?sub?radiusNASIpAddress=*}) 
{
ldap_macauth_NAS_only
             if (ok) {
update control {
                  Auth-Type := Accept
               }
             }
                     }
        else {
ldap_macauth_mobility
             if (ok) {
update control {
                  Auth-Type := Accept
               }
             }
             else {
reject
             }
        }
   }

   authenticate {
         Auth-Type LDAP_MACAUTH {
ldap_macauth
         }
   }

   preacct {
         preprocess
         acct_unique
   }

   accounting {
         detail
         exec
attr_filter.accounting_response
   }
}

...where the three ldap instances above are identical except the filter 
which is:

ldap_macauth:
     filter = 
"(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))"
ldap_macauth_NAS_only:
     filter = 
"(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address}))"
ldap_macauth_mobility:
     filter = "(macAddress=%{Calling-Station-Id})"

If the above configuration is legitimate, what should we place in the 
authenticate {} section ? All ldap_machauth* instances used in authorize 
{} section should be included? I am confused.

Thanks and regards,
Nick

More information about the Freeradius-Users mailing list