Mac Auth against LDAP

Nikolaos Milas nmilas at
Mon Aug 26 15:17:39 CEST 2013

On 26/8/2013 2:15 μμ, Arran Cudbard-Bell wrote:

> Unless you are querying different DNs for the different Mac-Auth types then doing this is the wrong way to approach this.
> the presence of the attributes in the LDAP object to dictate what type of authorisation you're doing.

Thanks Arran,

I tried and tested all scenarios with your (former) suggestion and it 
worked flawlessly as:


     if (!ok && !updated) {

     if (control:NAS-IP-Address) {
         if (control:NAS-IP-Address != "%{NAS-IP-Address}") {

         if (control:NAS-Port && (control:NAS-Port != "%{NAS-Port}")) {

     update control {
         Auth-Type := Accept

Thanks so much. Correctly using the policy language is not so obvious 
and it would take me long to figure out.

Finally, one finishing touch:

Can we use the new DHCP functionality to assign an IP address (stored in 
the host's LDAP entry) to a correctly authenticated host?


Can we check the IP address being used by the authenticated host, 
compare it against a stored IP Address in the host's LDAP entry, and 
deny access if there is a mismatch?

Best regards,

More information about the Freeradius-Users mailing list