On 7/5/09 10:18, Tomas Mecir wrote:
Greetings !
I have the following situation here that I'd like to ask for some
assistance with, if possible:
My client has a RADIUS server installed (running freeRADIUS 2.0.5),
and routers working as hotspots that users can connect to. Users can
authorize against the RADIUS server using a name/password combination,
which is stored in a MySQL database (using the rlm_sql module and the
Cleartext-Password attribute in the radcheck table). This part works
correctly.
Now, my client wants an extra check to be added which would allow each
user to login only from a specific MAC address, which can be different
for each user, and which is obtained when the user logs in for the
first time. Checking the MAC address is easy, as the hotspot is
sending the MAC address in the Calling-Station-Id attribute that I
could easily store in the radcheck table as well - but the problem is
that this MAC address is not known when the name/password pair is
being added to the radcheck table, and I am to make it so that when
the user is successfully authorized for the first time, there is no
MAC check, but the user's current MAC address is remembered on the
server, and further logins are only permitted from that MAC address.
So, I am thinking that the best solution would be to have the RADIUS
server add a new "(username), 'Calling-Station-Id', '=', (user's MAC)"
entry to the radcheck table, right after a successful SQL auth step,
if such an entry isn't yet in the table.
And my question is - is there a way to accomplish this with existing
FreeRADIUS modules, or do I need to implement my own module to do this
?
You can do it with the policy language. But you'll need to upgrade to
the latest version of the server.
I've attached an example (so my mail client doesn't wrap it). Make sure
you've defined always instances 'noop' and 'updated'.
Regards,
Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
if(!"%{sql:SELECT COUNT(*) FROM radcheck WHERE username == '%{SQL-User-Name}'
AND attribute = 'Calling-Station-ID'}" <= 0){
if("%{sql:INSERT INTO radcheck (username,attribute,op,value) VALUES
('%{SQL-User-Name}','Calling-Station-ID','==','%{Calling-Station-ID}')}" >= 1){
updated
}
else {
noop
}
}
else {
noop
}-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
