On Thu, Mar 17, 2005, Markus Krause wrote:
> hi all,
>
> i want to authenticate users at a cisco router by checking the mac-adress, the
> username and the password. (how) can this be done using freeradius?
Hello,
I manage to do that by first checking the MAC during the authorization
process with an external script (using the exec module), and then
authenticating the user with user/password with wathever method you
want to use (in my case PEAP-MSCHAPv2 + ntlm_auth, but any other should
work).
My radiusd.conf looks like this :
modules {
...
exec mac_check {
wait = yes
program = "/path/to/your/script.pl %{User-Name}
%{Calling-Station-Id}"
input_pairs = request
output_pairs = reply
packet_type = Access-Request
...
}
}
authorize {
preprocess
auth_log
mac_check
mschap
eap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
The script is a simple perl script that connects to our members
database, checks if the MAC is registered and belongs to the
member trying to connect, and refuse (exit 1;) or accept (exit 0;)
authorization based on that.
There is probably a cleaner way to do that, but it works well.
--
Endy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
