Re: User + Password + AMC address group authentication
John McDonnell wrote: > Just a quick question, I'm planning on adding a machine_name field to the > MAC address table in addition to the MAC addresses to make maintaining the > list (adding and removing MAC addresses with new machines coming in and > old ones going out) easier. Is there anything else that would be useful to > add to the table? Keep it simple. The simpler the table, the better. Things needed for your system are probably not needed for other systems. And the SQL schemas are editable for a reason: people can extend them locally. > Should I create an arbitrary key_id field or use the > mac_address field as the index or perhaps the machine name since laptops > and some other machines have multiple NICs? That's a good idea, and is widely useful. > I might add an asset_id field > as well since that would be easier for our users to read back to us > (sticker on the outside of the equipment) for troubleshooting when > checking to make sure their machine is entered properly in the database. That would probably be a local site extension. > Does this seem to make the most sense or would there be a better table > design that would be more efficient? Nope. 'id', 'mac', and 'machine' are pretty much it. > Granted, the only thing in the table > that will be regularly accessed will be the MAC address, the rest is just > for making maintaining the addresses easier and will only be accessed when > adding/removing/making sure MAC was entered correctly. Yup. If you come up with a schema && some useful queries, we can add them to the default examples that come with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User + Password + AMC address group authentication
> -Original Message- > From: Alan DeKok > Sent: Thursday, July 08, 2010 10:26 AM > Aaron Jansen wrote: > > For a user FreeRADIUS should check the user name, password, and the > > MAC address. The MAC address can be one of many in a list stored in > > a database. So, this is not about a single user logging in on only > > one device. This is something that I want to do here as well. I've seen the examples for using a flat file to do this, but wanted to put it into a SQL database for easier management, but also was not sure how to go about it and have limited time right now for figuring it out. > The existing tables are for specific purposes. If you need > something else, don't use them. > > Create a table just for MAC addresses. Then, do: > > authorize { > ... > > > if ("%{sql:SELECT mac FROM mac_table WHERE...}") { > # mac is known > } > else { > # mac is unknown > } > ... > } > > Run the SQL select by hand until you get it working, and then add > it to the configuration file. Having even a bit of an example like that really helps sometimes. Especially since I only have a minor understanding (Just Enough to Be Dangerous *TM) of SQL and FreeRADIUS. (The latter is getting better quite regularly.) Though right now, we're quite busy and I'm not sure when I'll get the chance to set this up, I'll be sure to share my findings when I get the chance. Just a quick question, I'm planning on adding a machine_name field to the MAC address table in addition to the MAC addresses to make maintaining the list (adding and removing MAC addresses with new machines coming in and old ones going out) easier. Is there anything else that would be useful to add to the table? Should I create an arbitrary key_id field or use the mac_address field as the index or perhaps the machine name since laptops and some other machines have multiple NICs? I might add an asset_id field as well since that would be easier for our users to read back to us (sticker on the outside of the equipment) for troubleshooting when checking to make sure their machine is entered properly in the database. Example table layout: mac_table ## # key_id # mac_address # machine_name # asset_id # ## (Sorry for the layout, I couldn't remember exactly how SQL diagrams are usually done and couldn't find a quick example.) Does this seem to make the most sense or would there be a better table design that would be more efficient? Granted, the only thing in the table that will be regularly accessed will be the MAC address, the rest is just for making maintaining the addresses easier and will only be accessed when adding/removing/making sure MAC was entered correctly. Thanks for your patience and help. Sincerely, -- John McDonnell Penn Cambria School District mcdon...@pcam.org O< ASCII Ribbon Campaign - www.asciiribbon.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User + Password + AMC address group authentication
Aaron Jansen wrote: > For a user FreeRADIUS should check the user name, password, and the MAC > address. The MAC address can be one of many in a list stored in a > database. So, this is not about a single user logging in on only one > device. > > I have taken a look at the rad(group)check table, but it seems that ALL > attributes should check out alright for the user to be authenticated. > So, I cannot just simply add a list of all possible user/MAC > combinations. The existing tables are for specific purposes. If you need something else, don't use them. > How can I best achieve this? Any help would be appreciated. Create a table just for MAC addresses. Then, do: authorize { ... if ("%{sql:SELECT mac FROM mac_table WHERE...}") { # mac is known } else { # mac is unknown } ... } Run the SQL select by hand until you get it working, and then add it to the configuration file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User + Password + AMC address group authentication
Dear all, I would like to do the following: For a user FreeRADIUS should check the user name, password, and the MAC address. The MAC address can be one of many in a list stored in a database. So, this is not about a single user logging in on only one device. I have taken a look at the rad(group)check table, but it seems that ALL attributes should check out alright for the user to be authenticated. So, I cannot just simply add a list of all possible user/MAC combinations. How can I best achieve this? Any help would be appreciated. Best regards, Aaeron Jansen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html