Hi Alexandre,
Just one question if I may... I had a look through the relavent documentation (that I could find) about the exec module - and all is looking very good.
One thing that I cannot for the love of life find... What is the script supposed to return to FR, and how?
-- Chris.
----- Original Message ----- From: "Alexandre Coninx" <[EMAIL PROTECTED]>
To: <freeradius-users@lists.freeradius.org>
Sent: Friday, March 18, 2005 3:54 PM
Subject: Re: authentication by mac adress, username and password
On Thu, Mar 17, 2005, Markus Krause wrote:hi all,
i want to authenticate users at a cisco router by checking the mac-adress, the
username and the password. (how) can this be done using freeradius?
Hello,
I manage to do that by first checking the MAC during the authorization process with an external script (using the exec module), and then authenticating the user with user/password with wathever method you want to use (in my case PEAP-MSCHAPv2 + ntlm_auth, but any other should work).
My radiusd.conf looks like this :
modules { ... exec mac_check { wait = yes program = "/path/to/your/script.pl %{User-Name} %{Calling-Station-Id}" input_pairs = request output_pairs = reply packet_type = Access-Request ... } }
authorize { preprocess auth_log mac_check mschap eap }
authenticate { Auth-Type MS-CHAP { mschap } eap }
The script is a simple perl script that connects to our members database, checks if the MAC is registered and belongs to the member trying to connect, and refuse (exit 1;) or accept (exit 0;) authorization based on that.
There is probably a cleaner way to do that, but it works well.
-- Endy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
