we a trying to add mac authentication to our wireless aps radius request comes in like so.
rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119, length=95 Service-Type = Framed-User NAS-Port-Id = "wlan1" User-Name = "00:0B:6B:56:1D:48" User-Password = "" NAS-Identifier = "ballyvaughan_ap_1" NAS-IP-Address = 10.250.100.3 the mac address is in a field in the ldap so i created a second ldap.attrib.map and a new ldap autz-type. the problem is that the user-password that is sent i blank so i added this to the users file. like so. DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password == "", Simultaneous-Use := 1 Fall-Through = 0 great now the user with authorise and authenticate from files. but what i had hoped would happen was if they failure authorisation they would not continue, i can see this is not the default proceedure. how can i make this work this way. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 users: Matched entry DEFAULT at line 4 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 Found Autz-Type ldapMAC Processing the authorize section of radiusd.conf modcall: entering group ldapMAC for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48 radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)' radius_xlat: 'o=clients,dc=radiowave,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxxxxxx to 127.0.0.1:389 radiustest:/etc/freeradius/config-clients# rlm_ldap: Bind was successful rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapmac1" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: leaving group ldapMAC (returns notfound) for request 0 but when the authentication starts this stilll happens, below was an idea someone had in respect to this issue or a similar one but i have no idea how to deploy this look forward to your replys. auth: type Local auth: user supplied User-Password matches local User-Password Processing the session section of radiusd.conf modcall: entering group session for request 0 modcall: entering group redundant for request 0 modcall[session]: module "sql2" returns noop for request 0 modcall: leaving group redundant (returns noop) for request 0 modcall: leaving group session (returns noop) for request 0 Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0) Sending Access-Accept of id 119 to 10.250.100.3 port 1038 On Sun, 2007-02-25 at 20:05 +0000, Martin Whinnery wrote: > Martin Whinnery wrote: > > Markus Krause wrote: > > > >> Zitat von Martin Whinnery <[EMAIL PROTECTED]>: > >> > >> > >> > >>> Hi. > >>> > >>> Probly just me not understanding... > >>> > >>> What I want is for our switches to only allow access to MAC addresses in > >>> our LDAP database. > >>> > >>> I don't want to store passwords on our LDAP host entries. > >>> > >>> I'm set up to check LDAP during authorisation, and it correctly returns > >>> authorised / not authorised depending on whether the appropriate > >>> attribute contains the right value. > >>> > >>> The trouble comes with authentication - either I set Auth-Type := > >>> Accept, in which case and failed authorisation is overridden, or I allow > >>> authentication to carry on against LDAP ( or System, or whatever ), in > >>> which case it fails always and access is denied, even for authorised MACs. > >>> > >>> Is there a way to make the Authorisation part final and authoritative? > >>> > >>> > >>> As I say, probly just being stoopid. > >>> > >>> > >>> Mart > >>> > >>> > >>> > >>> > >> don't no if it is a good solution, but i just do this by setting the > >> following in radiusd.conf: > >> > >> authenticate { > >> ... > >> Auth-Type LdapMAC { > >> ok > >> } > >> ... > >> } > >> > >> the Auth-Type is set in users file depending on huntgroups: > >> > >> DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := > >> LdapMAC > >> > >> i assume there are better/smarter sollutions as one can read "don't > >> set Auth-Type" on many places but it works here ;-) > >> > >> regards > >> markus > >> > >> > >> > > Thanks Markus, > > > > the problem seems to be that the authorisation pass returns "notfound", > > whereas I want it to "reject", as if it found an entry in LDAP without > > the appropriate attribute. > > > > Mart > > > > > This was exactly the problem. What I've done is created an exec module, > which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning > non-zero if there's a match. So authorization *fails* rather than > succeeds with 'not found'. > > I think. > > Anyway, it works. > > Thanks for all your help. > > Mart > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html