Mac Auth against LDAP

[Nikolaos Milas]

On 26/8/2013 2:15 μμ, Arran Cudbard-Bell wrote:

> Unless you are querying different DNs for the different Mac-Auth types then doing this is the wrong way to approach this.
>
> the presence of the attributes in the LDAP object to dictate what type of authorisation you're doing.

Thanks Arran,

I tried and tested all scenarios with your (former) suggestion and it 
worked flawlessly as:

     ldap_macauth

     if (!ok && !updated) {
            reject
     }

     if (control:NAS-IP-Address) {
         if (control:NAS-IP-Address != "%{NAS-IP-Address}") {
             reject
         }

         if (control:NAS-Port && (control:NAS-Port != "%{NAS-Port}")) {
             reject
         }
      }

     update control {
         Auth-Type := Accept
     }

Thanks so much. Correctly using the policy language is not so obvious 
and it would take me long to figure out.

Finally, one finishing touch:

Can we use the new DHCP functionality to assign an IP address (stored in 
the host's LDAP entry) to a correctly authenticated host?

-OR-

Can we check the IP address being used by the authenticated host, 
compare it against a stored IP Address in the host's LDAP entry, and 
deny access if there is a mismatch?

Best regards,
Nick