hi alexandre,
this is a very nice idea, thank you for that! (using an external script helped
me with another problem ;-) )
but actually i prefere to have all the authentication data in one place.
meanwhile i managed to check username, password and calling-station-id against
the data in an ldap-database. i would like to have the data in a file like
/etc/freeradius/users but i could not figure out how this has to be done, i
tried something like:
----8<---- part of /etc/freeradius/users ------
testuser Auth-Type := Local, User-Password == "testing", Calling-Station-Id ==
"AABBCCDDEEFF"
Service-Type = Framed-User,
Framed-IP-Address = 192.168.0.111,
---->8----
but freeradius returns
modcall[authorize]: module "files" returns notfound for request 0
where can i found information about the syntax of the "users" file or how can i
add the data for calling-station-id in this file?
thanks in advance for any hints!
markus
Zitat von Alexandre Coninx <[EMAIL PROTECTED]>:
> On Thu, Mar 17, 2005, Markus Krause wrote:
> > hi all,
> >
> > i want to authenticate users at a cisco router by checking the mac-adress,
> > the username and the password. (how) can this be done using freeradius?
>
> Hello,
>
> I manage to do that by first checking the MAC during the authorization
> process with an external script (using the exec module), and then
> authenticating the user with user/password with wathever method you
> want to use (in my case PEAP-MSCHAPv2 + ntlm_auth, but any other should
> work).
>
> My radiusd.conf looks like this :
>
> modules {
> ...
> exec mac_check {
> wait = yes
> program = "/path/to/your/script.pl %{User-Name}
> %{Calling-Station-Id}"
> input_pairs = request
> output_pairs = reply
> packet_type = Access-Request
> ...
> }
> }
>
> authorize {
> preprocess
> auth_log
> mac_check
> mschap
> eap
> }
>
> authenticate {
> Auth-Type MS-CHAP {
> mschap
> }
> eap
> }
>
>
> The script is a simple perl script that connects to our members
> database, checks if the MAC is registered and belongs to the
> member trying to connect, and refuse (exit 1;) or accept (exit 0;)
> authorization based on that.
>
> There is probably a cleaner way to do that, but it works well.
>
> --
> Endy
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Markus Krause email: [EMAIL PROTECTED]
Computing Center Tel.: 089 - 89 40 85 99
Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98
---------------------------------------------------------------------
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
