how to setup MAC based authentication with LDAP
brendan kearney
bpk678 at gmail.com
Wed Apr 22 03:40:51 CEST 2015
Because I authenticate my users against kerberos, not ldap. A principal
and an ldap object all for MAB seems excessive to me.
I also see that as an unnecessary duplication of data in the directory. I
have the mac addresses as past of a couple of object classes and dont need
more than one "copy" of the data.
On Apr 21, 2015 9:23 PM, "Ben Humpert" <ben at an3k.de> wrote:
> 2015-04-21 23:00 GMT+02:00 Brendan Kearney <bpk678 at gmail.com>:
> > my switch (cisco sg500) will identify that a client does not support .1x
> > and will provide the mac address as the username and password in an EAP
> > message. because it is an EAP message, i can leverage the
> > Calling-Station-Id attribute, and distinguish user auth vs. mac auth
> > bypass with the "if (EAP-Message)" statement.
>
> So the only difference between a user/pass access-request package and
> one for mac bypass is just that the mac bypass contains the mac
> address as the username and password? If so, why don't you add a
> "user" for these mac addresses into your ldap just like you did with
> real users?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list