check user device mac address without doing mac-auth

Alan DeKok aland at deployingradius.com
Mon Apr 3 19:09:44 UTC 2023


On Apr 3, 2023, at 1:10 PM, Eby Mani via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> My bad, have used "==" operator with "users" file.

  That's good.

> The following in radcheck is working, is it possible to add multiple mac-addr values ?. I tried adding 3rd row with different mac-addr, it did not work.

  Please read the SQL module documentation.  See the wiki for "rlm_sql".  The documentation describes how the module works, and what needs to go into SQL.

  You can't just add things to SQL and expect FreeRADIUS to understand what you mean.

>> What you want is s policy which says:
>> 
>> if user is X and MAC is not Y
>> reject
> 
> Where to add this query ?. 
> 
> In sites-enabled/default, under authenticate {} or authorize {} section or somewhere else ?.

  You can add some "unlang" to the "authorize" section.  If you see the sample configuration for sites-available/default, for the difference between "authorize" and "authentication", the location for the rules should be fairly clear.

  You can't just put the SQL query into a virtual server, though.

  Alan DeKok.



More information about the Freeradius-Users mailing list