Authorize access by MAC Address

Matthew Newton mcn at freeradius.org
Thu Oct 24 12:39:22 CEST 2019


On Wed, 2019-10-23 at 23:44 +0000, Mike DiBella wrote:
> The access request authorization policy should allow access if the
> device object is found in the directory by MAC address, and
> deviceCompliance is 0.
> 
> I've looked over the documentation for LDAP backend configuration,
> but it is heavy biased towards the authorize-by-user-identity use
> case.

The defaults check for the username, because that's what most people
do.

> Are there any configuration examples for mapping identity using MAC
> address?   Any examples for adding custom LDAP attributes for access-
> adjudication?

It's all in mods-available/ldap.

Update the user filter to match on something other than uid and
%{Stripped-User-Name}, e.g. "(&(wiFiMAC=%{Calling-Station-
Id})(deviceCompliance=0))"

You can change the update{} section to copy any LDAP attributes into
RADIUS attributes if you need them.

-- 
Matthew




More information about the Freeradius-Users mailing list