how to setup MAC based authentication with LDAP

Thomas Stather Thomas.Stather at mpimf-heidelberg.mpg.de
Thu Apr 16 12:22:22 CEST 2015 

Hello
 
 I tried to set it up but i failed
 
 
 the virtual server now looks like:
 
 listen {
 ipaddr = *
 port = 0
 type = auth
 }

 listen {
 ipaddr = *
 port = 0
 type = acct
 }

 authorize {
 preprocess

 # clean the Calling-Station-ID
 rewrite_calling_station_id

 if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
 reject
 }
 else {
 # accept
 update control {
 Auth-Type := Accept
 }
 }
 }

 authenticate {
 Auth-Type ldap {
 ldap
 }
 }
 
 
 
 
 I tested with:
 
 radtest f0-1f-af-35-c8-10 f0-1f-af-35-c8-10 127.0.0.1 10 test123 (the mac address exists in LDAP as f0:1f:af:35:c8:10)
 
 the output on the server looks like this:
 
 Listening on auth address * port 1812 as server macauth
 Listening on acct address * port 1813 as server macauth
 Opening new proxy socket 'proxy address * port 0'
 Listening on proxy address * port 49440
 Ready to process requests
 (0) Received Access-Request Id 126 from 127.0.0.1:36895 to 127.0.0.1:1812 length 103
 (0) User-Name = 'f0-1f-af-35-c8-10'
 (0) User-Password = 'f0-1f-af-35-c8-10'
 (0) NAS-IP-Address = 192.168.1.1
 (0) NAS-Port = 10
 (0) Message-Authenticator = 0x2e1129946169764255df311101b1f418
 (0) # Executing section authorize from file /etc/raddb/sites-enabled/mpimf-macauth
 (0) authorize {
 (0) [preprocess] = ok
 (0) policy rewrite_calling_station_id {
 (0) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
 ERROR: (0) Failed retrieving values required to evaluate condition
 (0) else {
 (0) [noop] = noop
 (0) } # else = noop
 (0) } # policy rewrite_calling_station_id = noop
 (0) if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") {
 ERROR: (0) String passed does not look like an LDAP URL
 (0) EXPAND%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}
 (0) -->
 (0) if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") -> TRUE
 (0) if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") {
 (0) [reject] = reject
 (0) } # if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") = reject
 (0) } # authorize = reject
 (0) Using Post-Auth-Type Reject
 (0) Delaying response for 1.000000 seconds
 Waking up in 0.3 seconds.
 Waking up in 0.6 seconds.
 (0) Sending delayed response
 (0) Sent Access-Reject Id 126 from 127.0.0.1:1812 to 127.0.0.1:36895 length 20
 Waking up in 3.9 seconds.
 (0) Cleaning up request packet ID 126 with timestamp +10
 Ready to process requests
 
 What have i done wrong? 
 
 And additionally, how can i define that the LDAP query should only look in the "ou=hosts" on the LDAP server?
 
 Best,
 Thomas

Am 15.04.15 04:03 nachm. schrieb Alan DeKok  <aland at deployingradius.com>:
> 
> On Apr 15, 2015, at 8:12 AM, Thomas Stather <Thomas.Stather at mpimf-heidelberg.mpg.de> wrote:
> > I am new to RADIUS and i'd like to know how to setup a mac-based authentication for my clients.
> 
>  There's a guide on the Wiki, but your setup is a bit different.
> 
> > Here is what i have so far:
> > 
> > -freeradius 3.0.3
> > -/etc/raddb/clients.conf (setupped with the IPs of the NAS devices)
> > 
> > Now i'm unsure how to configure the mods-enabled/ldap configuration.
> > 
> > All the hosts are located in an OU named "hosts", the mac-address of each host has the attribute name "macAddress" within the host object (i.e cn=testdevice).
> 
>  Figure out which LDAP query will return that macAddress. Try it with ldapsearch and sample MAC address. e.g. 00:01:02:03:04:05.
> 
> > My virtual server in sites-enabled/macauth looks like this:
> ...
> > # now authenticate against LDAP
> > ldap
> 
>  You don't want to do that. The normal LDAP processing is for *users* in LDAP. I don't think each host has a password and other user attributes in it. So don't use "ldap".
> 
>  Instead, do:
> 
> 	if (!"%{ldap:QUERY}") {
>  reject
> 	}
> 	update control {
>  Auth-Type := Accept
> 	}
> 
> 
>  where QUERY is the LDAP query used to find the mac address. Use %{Calling-Station-Id} instead of the MAC address from the "ldapsearch" above.
> 
>  The only issue here is that this configuration will do ONLY mac auth. All other authentication methods will fail. If that's what you want, fine.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list