[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Mac Auth against LDAP
From:       Nikolaos Milas <nmilas () noa ! gr>
Date:       2013-08-26 13:17:39
Message-ID: 521B5573.90006 () noa ! gr
[Download RAW message or body]

On 26/8/2013 2:15 μμ, Arran Cudbard-Bell wrote:

> Unless you are querying different DNs for the different Mac-Auth types then doing \
> this is the wrong way to approach this. 
> the presence of the attributes in the LDAP object to dictate what type of \
> authorisation you're doing.

Thanks Arran,

I tried and tested all scenarios with your (former) suggestion and it 
worked flawlessly as:

     ldap_macauth

     if (!ok && !updated) {
            reject
     }

     if (control:NAS-IP-Address) {
         if (control:NAS-IP-Address != "%{NAS-IP-Address}") {
             reject
         }

         if (control:NAS-Port && (control:NAS-Port != "%{NAS-Port}")) {
             reject
         }
      }

     update control {
         Auth-Type := Accept
     }

Thanks so much. Correctly using the policy language is not so obvious 
and it would take me long to figure out.

Finally, one finishing touch:

Can we use the new DHCP functionality to assign an IP address (stored in 
the host's LDAP entry) to a correctly authenticated host?

-OR-

Can we check the IP address being used by the authenticated host, 
compare it against a stored IP Address in the host's LDAP entry, and 
deny access if there is a mismatch?

Best regards,
Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]