Active Directory and Calling-Station-Id

Brian Candler b.candler at pobox.com
Wed Feb 22 12:37:45 CET 2017


On 22/02/2017 08:18, Ethariel wrote:
> I've tried to insert in the users file :
>
> customer2 Calling-Station-Id := "BB-BB-BB-BB-BB-BB"
>
> but with correct password customer2 is always authenticated using the
> BB-....-BB mac adress or not.

The users file has some magic you need to know about.  The structure of 
each entry is like this:

<key>  <first line>
        <subsequent lines>

Any comparison operators (like ==) in the first line cause an attribute 
to the *checked* on the *request* list. If any of the checks fail, this 
entire entry in the users file is skipped.  If there are more entries 
with the same key, it will try those.

However, if all the checks on the first line succeed, then:

* Any assignment operators (like :=) in the first line cause attributes 
to be *set* on the *control* list
* The subsequent lines cause attributes to be *set* on the *reply* list.

So you could do this:

customer2  Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB"

This means: "if the user name is customer2, AND the (request) calling 
station id is not the given value, THEN set control:Auth-Type to 
Reject". It will then reject them without even checking the supplied 
password.

You could also add reply attributes if you wish:

customer2  Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB"
            Reply-Message := "Wrong MAC Address"

If the condition is not true, this entire entry is skipped, so neither 
Auth-Type nor Reply-Message is set.

If you want to allow multiple MAC addresses then you could either do a 
regex match, or you could split the logic like this:

customer2  Calling-Station-Id == "BB-BB-BB-BB-BB-BB"

customer2  Calling-Station-Id == "CC-CC-CC-CC-CC-CC"

customer2  Auth-Type := Reject
            Reply-Message := "Wrong MAC Address"

The first two entries make no updates to either control or reply lists. 
However since they don't have "Fall-Through := 1" then all subsequent 
entries for the same username are skipped.

All examples above untested by me, but should be close to what you need.

Regards,

Brian.



More information about the Freeradius-Users mailing list