Markus Krause wrote: > don't no if it is a good solution, but i just do this by setting the > following in radiusd.conf: > > authenticate { > ... > Auth-Type LdapMAC { > ok > } > ... > } > > the Auth-Type is set in users file depending on huntgroups: > > DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC > > i assume there are better/smarter sollutions as one can read "don't > set Auth-Type" on many places but it works here ;-)
Sorry, but it's an awful suggestion. Don't do it, and certainly don't recommend others do it. There's no need to go setting Auth-Type to random values. The correct way to do this is to reject unknown, not blindly accept known. Example - you could modify the ldap group membership query to find groups based on both the username and callingstationid: groupmembership_filter = "(| (&(objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id})) (&(objectClass=GroupOfNames)(member=%{Ldap-UserDn})) )" Then in "ldap": dn: cn=GoodMacs,dc=example,dc=com objectClass: top objectClass: GroupOfMacadds member: 00:11:22:33:44:55 member: 66:77:88:99:aa:bb Then in the "users" file: DEFAULT Ldap-Group == "GoodMacs" Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = "your mac is unknown" There are lots of variations of this scheme. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html