On 10/15/2010 08:06 AM, Langen Mike wrote:
Hi there.
I’ve got the problem that I want to combine active directory
authentication with mac address verification. So only user can log in
which hardware is listed in a text file or similar.
In the whole world wide web I didn’t find a hint how to combine multiple
authentication methods in serial.
Really?
MAC "authentication" is really just a key/value lookup. You don't need
to "combine two types of authentication" - just do a lookup of user->mac
before doing mschap.
You haven't said, but I'm going to assume you're using 802.1x, with
PEAP/MS-CHAP via ntlm_auth.
In which case, you want something like this:
in eap.conf:
eap {
...
peap {
...
copy_request_to_tunnel = yes
}
}
in sites-enabled/inner-tunnel:
authorize {
...
# do e.g. an SQL lookup
update request {
Tmp-Integer-0 := "%{sql:select 1 from allowed where
username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'"
}
if (Tmp-Integer-0 == 1) {
# this combination is allowed
}
else {
# this one is not
reject
}
}
Obviously you'll need to have configured SQL and created the lookup
table for the above example to work. You could also do this with
"rlm_passwd", LDAP or even a "users" file. You'll need to be a bit more
specific about your requirements if you want advice on that.
# now lookup user/mac
One possibility, but there I didn’t find anything at all, seems to be
using the perl module. Is it possible to run a perl script before
ntlm_auth will take place ?
Thanks for your answer.
Greetings from Switzerland.
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
