MAC Auth Bypass and LDAP
bpk678 at gmail.com
Tue Apr 7 15:18:34 CEST 2015
i have RADIUS authN and authZ using kerberos and ldap working in my
environment. from here i want to add MAC Auth Bypass and finally
full .1x when i get a CA up and running. i plan to have MAC Auth Bypass
as an interim solution, and will leave it in place when full .1x is
running as a fallback method. i would like to get dynamic vlan
assignment configured too. with that said, i am not sure of a few
i am running v3.0.3 on Fedora 20. i have found the wiki article for MAC
Auth, but that is for v2.x and a lot has changed from v2 to v3. because
i am looking to leverage ldap lookups for MAC Auth Bypass, the info in
the wiki does not seem applicable. where do i start looking for info
around MAC Auth Bypass and ldap? the ldap module does not have anything
that i am able to see as appropriate. i would like to avoid using the
files module, as the mac address info, etc is in my ldap already.
once i get MAB working, i want to begin assigning the VLAN based on MAC
class or address. is the MAC the right data point to make that
determination? i see the desire to have full .1x use dynamic VLAN
assignment, too, so i want to make sure the decisions are not counter to
i am ultimately looking to have full .1x, with MAC Auth Bypass as a
fallback, and in either case (or both, if that could/should be) have the
VLAN assigned based on the outcome of the auth (or auth bypass). my
logic would be:
if the device passes .1x, the device is assigned to VLAN_X.
if the device fails .1x, the device is assigned to VLAN_Z.
if the device cannot do .1x, and passes MAC Auth Bypass (i.e. the MAC is
known and is in ldap), the device is assigned to VLAN_Y.
if the device cannot do .1x and fails MAC Auth Bypass, the device is
assigned to VLAN_Z.
since full .1x is not going to be turned up right now, the last two
pieces of the logic are what i am looking to pursue at this point. any
pointers on where to start would be appreciated.
More information about the Freeradius-Users