how to setup MAC based authentication with LDAP
Alan DeKok
aland at deployingradius.com
Thu Apr 16 18:13:16 CEST 2015
On Apr 16, 2015, at 6:22 AM, Thomas Stather <Thomas.Stather at mpimf-heidelberg.mpg.de> wrote:
> I tried to set it up but i failed
Following directions helps. Reading the debug output helps.
> if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
Is that a valid LDAP query? Probably not.
> radtest f0-1f-af-35-c8-10 f0-1f-af-35-c8-10 127.0.0.1 10 test123 (the mac address exists in LDAP as f0:1f:af:35:c8:10)
Which doesn't send a Calling-Station-Id attribute.
> Ready to process requests
> (0) Received Access-Request Id 126 from 127.0.0.1:36895 to 127.0.0.1:1812 length 103
> (0) User-Name = 'f0-1f-af-35-c8-10'
> (0) User-Password = 'f0-1f-af-35-c8-10'
> (0) NAS-IP-Address = 192.168.1.1
> (0) NAS-Port = 10
> (0) Message-Authenticator = 0x2e1129946169764255df311101b1f418
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/mpimf-macauth
And there's no Calling-Station-Id in the packet. How do you expect to use policies based on Calling-Station-Id when it's not in the packet?
See "man radclient". Or even read the "radtest" script. It's a shell script. You need to *explicitly* add a Calling-Station-Id attribute to the packet.
...
Calling-Station-Id = f0-1f-af-35-c8-10
...
Read the debug output for packets sent by the NAS. Use them as a template, and create files which radclient will read. You will then be sure that your tests match the packets sent by the NAS.
> What have i done wrong?
I had given detailed instructions in my previous message. Following them would be a good idea.
> And additionally, how can i define that the LDAP query should only look in the "ou=hosts" on the LDAP server?
You should write an LDAP query that uses "ou=hosts".
I told you to write an LDAP query, and test it via "ldapsearch". You seem to have skipped that step. Why?
Alan DeKok.
More information about the Freeradius-Users
mailing list