On Thu, Mar 17, 2005, Markus Krause wrote: > hi all, > > i want to authenticate users at a cisco router by checking the mac-adress, the > username and the password. (how) can this be done using freeradius?
Hello, I manage to do that by first checking the MAC during the authorization process with an external script (using the exec module), and then authenticating the user with user/password with wathever method you want to use (in my case PEAP-MSCHAPv2 + ntlm_auth, but any other should work). My radiusd.conf looks like this : modules { ... exec mac_check { wait = yes program = "/path/to/your/script.pl %{User-Name} %{Calling-Station-Id}" input_pairs = request output_pairs = reply packet_type = Access-Request ... } } authorize { preprocess auth_log mac_check mschap eap } authenticate { Auth-Type MS-CHAP { mschap } eap } The script is a simple perl script that connects to our members database, checks if the MAC is registered and belongs to the member trying to connect, and refuse (exit 1;) or accept (exit 0;) authorization based on that. There is probably a cleaner way to do that, but it works well. -- Endy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html