[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Mac Auth against LDAP
From: Nikolaos Milas <nmilas () noa ! gr>
Date: 2013-08-26 13:17:39
Message-ID: 521B5573.90006 () noa ! gr
[Download RAW message or body]
On 26/8/2013 2:15 μμ, Arran Cudbard-Bell wrote:
> Unless you are querying different DNs for the different Mac-Auth types then doing \
> this is the wrong way to approach this.
> the presence of the attributes in the LDAP object to dictate what type of \
> authorisation you're doing.
Thanks Arran,
I tried and tested all scenarios with your (former) suggestion and it
worked flawlessly as:
ldap_macauth
if (!ok && !updated) {
reject
}
if (control:NAS-IP-Address) {
if (control:NAS-IP-Address != "%{NAS-IP-Address}") {
reject
}
if (control:NAS-Port && (control:NAS-Port != "%{NAS-Port}")) {
reject
}
}
update control {
Auth-Type := Accept
}
Thanks so much. Correctly using the policy language is not so obvious
and it would take me long to figure out.
Finally, one finishing touch:
Can we use the new DHCP functionality to assign an IP address (stored in
the host's LDAP entry) to a correctly authenticated host?
-OR-
Can we check the IP address being used by the authenticated host,
compare it against a stored IP Address in the host's LDAP entry, and
deny access if there is a mismatch?
Best regards,
Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic