Mac Auth against LDAP

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Aug 26 13:15:54 CEST 2013


On 26 Aug 2013, at 11:39, Nikolaos Milas <nmilas at noa.gr> wrote:

> On 26/8/2013 12:15 μμ, Arran Cudbard-Bell wrote:
> 
>> No. It's a really inefficient way of doing this.
> 
> Thanks Arran,
> 
> Yet, would it be logically/technically correct?

Sure.

> 
>> Use generic attribute maps or an update ldap schema to pull the necessary values into control attributes,
>> and then do the comparison in policy language.
> 
> Hmm, if I understand right, I could query once a custom attribute with e.g. the value of 0/1/2 depending on the type of mac-auth we would like to do.
> 
> Thus, two LDAP queries would suffice to check correctly the client in all cases, where in my initial script we would need 3 at best or 4 at worst.

Unless you are querying different DNs for the different Mac-Auth types then doing this is the wrong way to approach this.

the presence of the attributes in the LDAP object to dictate what type of authorisation you're doing.

Map the check items:

radiusNASIPAddress
radiusNASPort (add it to the default schema or use radiusHint instead)

to the check items NAS-IP-Address and NAS-Port

authorize {
    preprocess
    rewrite_calling_station_id

    ldap
    if (!ok && !updated) {
	   reject
    }

    if (control:NAS-IP-Address) {
        if (control:NAS-IP-Address != "%{%{NAS-IP-Address}:-%{Packet-Src-IP-Address}}") {
            reject
        }

        if (control:NAS-Port && (control:NAS-Port != "%{%{NAS-Port}:-%{NAS-Port-ID}}")) {
            reject
        }
    }

    update control {
        Auth-Type := Accept
    }
}

Reject has the same effect as a return statement in the above.


> 
> The example would be to use a policy like:
> 
> set_mac_auth_type {
> update request {
> auth_type := %{ldap_macauth:ldap:///ou=Nodes,dc=example,dc=com?macauthtype?sub?macAddress=%{Calling-Station-Id}})
> }
> }

You may as well use Autz-Type.

i.e. map an attribute macautztype to the checkItem autz-type

authorize {
    preprocess
    rewrite_calling_station_id

    ldap
    if (!ok && !updated) {
	   reject
    }
    
    Autz-Type nas {
        # do stuff
    }

    Autz-Type nas_and_port {
        # do stuff
    }
}

You can then check the states of the various other control attributes inside one of those Autz-Type sections.

Policy execution will effectively ignore Autz-Type sections the first pass through authorize, and then loop back round
and enter one of them.


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team



More information about the Freeradius-Users mailing list