how to setup MAC based authentication with LDAP
Ben Humpert
ben at an3k.de
Tue May 12 15:18:51 CEST 2015
2015-05-12 11:51 GMT+02:00 Thomas Stather
<Thomas.Stather at mpimf-heidelberg.mpg.de>:
> Hello again
>
> I have this (LDAP string has been modified because of security considerations)
>
> server macauth {
>
> authorize {
> preprocess
>
> # clean the Calling-Station-ID
> rewrite_calling_station_id
>
> # now authenticate against LDAP
> if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
> reject
> }
> else {
> # accept
> update control {
> Auth-Type := Accept
> }
> }
> }
As Matthew wrote you're sending an Access-Accept as soon as the
Calling-Station-Id is found in LDAP and that doesn't work. The easiest
fix would be to send "noop" instead so that FR can continue doing it's
stuff (which is required for a complete 802.1x session) and only send
a reject when the Calling-Station-Id is not found in LDAP. So the
above code would look like
if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{
reject
}
else {
# accept
noop
}
More information about the Freeradius-Users
mailing list