On 14 Aug 2013, at 11:02, Nikolaos Milas <nmi...@noa.gr> wrote: > Hi, > > I am using FreeRadius v2.2.0 on CentOS 6.4 x86_64. > > I am trying to adapt Plain Mac-Auth as described at: > http://wiki.freeradius.org/guide/Mac-Auth to work work from LDAP. > > (Note: The server is also used for eduroam and is going to be used for 802.1x > too.) > > My setup follows below. > > The questions: > -------------- > 1. Should I also define the value: > # access_attr > ...for correct results?
Sure if you want to have an attribute which enables/disables access? > > 2. Can I test this using radtest (since I am not using user/password for this > query)? > Yes, use just the mac-address as the username and password > 3. Any other suggestions? Nope. > -------------- > > The setup: > > ldap ldap_macauth { > server = "localhost" > identity = "uid=binduser,ou=System,dc=example,dc=com" > password = "bindpasswd" > basedn = "ou=Nodes,dc=example,dc=com" > filter = "(macAddress=%{Calling-Station-Id})" > start_tls = no > dictionary_mapping = ${raddbdir}/ldap.attrmap > ldap_connections_number = 2 > timeout = 4 > timelimit = 3 > net_timeout = 1 > } > > and I have a test entry: > > dn: cn=hostABC,ou=Nodes,dc=example,dc=com > cn: hostABC > macAddress: 00:24:8b:3c:d1:db > objectClass: device > objectClass: ieee802Device > objectClass: top > ou: tech > owner: uid=johndoe,ou=people,dc=example,dc=com > l: Main Site > > I have preferred to set: > > rewrite_calling_station_id { > if (Calling-Station-Id =~ > /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ > update request { > Calling-Station-Id := > "%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}" > } > } > else { > noop > } > } > That's fine. > and in sites-enabled/default: > > authorize { > preprocess > chap > mschap > digest > suffix Do you need all these? Are you ever going to be doing chap/mschap/digest in the outer server? > eap { > ok = return > } > files > ldap_macauth > if (!ok) { > reject > } > else { > # accept > update control { > Auth-Type := Accept > } > } Yay for magic indentation. > expiration > logintime > pap > } -Arran Arran Cudbard-Bell <a.cudba...@freeradius.org> FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html