MAC Auth Question
J Kephart
jkephart at safetynetaccess.com
Wed Jun 10 22:25:24 CEST 2015
Good day!
We use FR to handle AAA services at a number of client sites, though
we've not done anything "fancy" with it as yet. However, we've recently
started using MAC authentication, but one thing we don't want to have
happen is for a user to sign up for service in one location and then
move to another and be able to use the network without signing in (both
sites would be configured for MAC auth).
To that end, we're thinking we might do something like the following:
1. Combine the NAS-Identifier with the User-Name (e.g., "1234-samjones").
2. Do an sql lookup in radgroupreply (all users are assigned to groups
based on NAS-ID and username) to determine if the group exists.
3. If it does, permit MAC auth to succeed; otherwise, reject.
My first question is, does this seem a good way to prevent users from
automatic roaming between sites, given that our clients are different?
Does the method seem sound? Can we generate our own variable names
within the raddb files for later use in the sql lookup? And, most
importantly, where and in what file would be the best place to do this?
Also, for accounting purposes, we'd like to prepend the same nas-id to
the username. Any recommendations on how best to approach that?
We're stepping off the edge of the world here, well outside our comfort
zone, so we want to be sure we do this correctly. I appreciate any and
all pointers, especially to docs that might describe how to do this.
Cheers,
Jim
More information about the Freeradius-Users
mailing list