Mac Auth against LDAP

Arran Cudbard-Bell a.cudbardb at
Mon Aug 26 11:15:50 CEST 2013

> ...where the three ldap instances above are identical except the filter which is:
> ldap_macauth:
>    filter = "(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))"
> ldap_macauth_NAS_only:
>    filter = "(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address}))"
> ldap_macauth_mobility:
>    filter = "(macAddress=%{Calling-Station-Id})"

No. It's a really inefficient way of doing this.

Use generic attribute maps or an update ldap schema to pull the necessary values into control attributes,
and then do the comparison in policy language. Otherwise you end up doing multiple LDAP queries which are
comparatively extremely slow to anything else you're doing in the policy.

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list