Re: Mac Auth against LDAP

Mon, 26 Aug 2013 01:17:12 -0700 

On 24/8/2013 12:00 μμ, Nikolaos Milas wrote:
...and then I could simply use my *exact current configuration* by simply changing the ldap filter to: 


filter = 
"(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))"



I tested this and it works. (Yet, please respond to the questions on my 
earlier mails.)


Now, I am thinking of an extended (MAC-Auth) "policy" (rule set) like:


Rule 1: If in the LDAP host entry we have included a radiusNASIpAddress 
value AND a radiusHint value, then authorize based on all, otherwise 
reject. (No mobility allowed)
Rule 2: If in the LDAP host entry we have included only a 
radiusNASIpAddress value, then authorize based only on it, otherwise 
reject. (NAS-mobility)
Rule 3: If in the LDAP host entry we have included NEITHER a 
radiusNASIpAddress value NOR a radiusHint value, then authorize based 
only on the MAC Address. (Full Mobility)


QUESTION 1: Is it legitimate to set up the above policy as follows?

server macauth {

  authorize {
        preprocess

rewrite_calling_station_id


        if 
(%{ldap_macauth:ldap:///ou=Nodes,dc=example,dc=com?radiusHint?sub?radiusHint=*} 

           and 
%{ldap_macauth:ldap:///ou=Nodes,dc=example,dc=com?radiusNASIpAddress?sub?radiusNASIpAddress=*}) 
{

ldap_macauth
            if (ok) {
update control {
Auth-Type := Accept
              }
            }
                      }

        else if 
(%{ldap_macauth_NAS_only:ldap:///ou=Nodes,dc=example,dc=com?radiusNASIpAddress?sub?radiusNASIpAddress=*}) 
{

ldap_macauth_NAS_only
            if (ok) {
update control {
                 Auth-Type := Accept
              }
            }
                    }
       else {
ldap_macauth_mobility
            if (ok) {
update control {
                 Auth-Type := Accept
              }
            }
            else {
reject
            }
       }
  }

  authenticate {
        Auth-Type LDAP_MACAUTH {
ldap_macauth
        }
  }

  preacct {
        preprocess
        acct_unique
  }

  accounting {
        detail
        exec
attr_filter.accounting_response
  }
}


...where the three ldap instances above are identical except the filter 
which is:


ldap_macauth:

    filter = 
"(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))"

ldap_macauth_NAS_only:

    filter = 
"(&(macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address}))"

ldap_macauth_mobility:
    filter = "(macAddress=%{Calling-Station-Id})"


If the above configuration is legitimate, what should we place in the 
authenticate {} section ? All ldap_machauth* instances used in authorize 
{} section should be included? I am confused.


Thanks and regards,
Nick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to