RE: User + Password + AMC address group authentication
-Original Message-
From: Alan DeKok
Sent: Thursday, July 08, 2010 10:26 AM
Aaron Jansen wrote:
For a user FreeRADIUS should check the user name, password, and the
MAC address. The MAC address can be one of many in a list stored in
a database. So, this is not about a single user logging in on only
one device.
This is something that I want to do here as well. I've seen the examples
for using a flat file to do this, but wanted to put it into a SQL database
for easier management, but also was not sure how to go about it and have
limited time right now for figuring it out.
The existing tables are for specific purposes. If you need
something else, don't use them.
Create a table just for MAC addresses. Then, do:
authorize {
...
if (%{sql:SELECT mac FROM mac_table WHERE...}) {
# mac is known
}
else {
# mac is unknown
}
...
}
Run the SQL select by hand until you get it working, and then add
it to the configuration file.
Having even a bit of an example like that really helps sometimes.
Especially since I only have a minor understanding (Just Enough to Be
Dangerous *TM) of SQL and FreeRADIUS. (The latter is getting better quite
regularly.) Though right now, we're quite busy and I'm not sure when I'll
get the chance to set this up, I'll be sure to share my findings when I
get the chance.
Just a quick question, I'm planning on adding a machine_name field to the
MAC address table in addition to the MAC addresses to make maintaining the
list (adding and removing MAC addresses with new machines coming in and
old ones going out) easier. Is there anything else that would be useful to
add to the table? Should I create an arbitrary key_id field or use the
mac_address field as the index or perhaps the machine name since laptops
and some other machines have multiple NICs? I might add an asset_id field
as well since that would be easier for our users to read back to us
(sticker on the outside of the equipment) for troubleshooting when
checking to make sure their machine is entered properly in the database.
Example table layout:
mac_table
##
# key_id # mac_address # machine_name # asset_id #
##
(Sorry for the layout, I couldn't remember exactly how SQL diagrams are
usually done and couldn't find a quick example.)
Does this seem to make the most sense or would there be a better table
design that would be more efficient? Granted, the only thing in the table
that will be regularly accessed will be the MAC address, the rest is just
for making maintaining the addresses easier and will only be accessed when
adding/removing/making sure MAC was entered correctly.
Thanks for your patience and help.
Sincerely,
--
John McDonnell
Penn Cambria School District
mcdon...@pcam.org
O ASCII Ribbon Campaign - www.asciiribbon.org
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User + Password + AMC address group authentication
John McDonnell wrote: Just a quick question, I'm planning on adding a machine_name field to the MAC address table in addition to the MAC addresses to make maintaining the list (adding and removing MAC addresses with new machines coming in and old ones going out) easier. Is there anything else that would be useful to add to the table? Keep it simple. The simpler the table, the better. Things needed for your system are probably not needed for other systems. And the SQL schemas are editable for a reason: people can extend them locally. Should I create an arbitrary key_id field or use the mac_address field as the index or perhaps the machine name since laptops and some other machines have multiple NICs? That's a good idea, and is widely useful. I might add an asset_id field as well since that would be easier for our users to read back to us (sticker on the outside of the equipment) for troubleshooting when checking to make sure their machine is entered properly in the database. That would probably be a local site extension. Does this seem to make the most sense or would there be a better table design that would be more efficient? Nope. 'id', 'mac', and 'machine' are pretty much it. Granted, the only thing in the table that will be regularly accessed will be the MAC address, the rest is just for making maintaining the addresses easier and will only be accessed when adding/removing/making sure MAC was entered correctly. Yup. If you come up with a schema some useful queries, we can add them to the default examples that come with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User + Password + AMC address group authentication
Dear all, I would like to do the following: For a user FreeRADIUS should check the user name, password, and the MAC address. The MAC address can be one of many in a list stored in a database. So, this is not about a single user logging in on only one device. I have taken a look at the rad(group)check table, but it seems that ALL attributes should check out alright for the user to be authenticated. So, I cannot just simply add a list of all possible user/MAC combinations. How can I best achieve this? Any help would be appreciated. Best regards, Aaeron Jansen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User + Password + AMC address group authentication
Aaron Jansen wrote:
For a user FreeRADIUS should check the user name, password, and the MAC
address. The MAC address can be one of many in a list stored in a
database. So, this is not about a single user logging in on only one
device.
I have taken a look at the rad(group)check table, but it seems that ALL
attributes should check out alright for the user to be authenticated.
So, I cannot just simply add a list of all possible user/MAC
combinations.
The existing tables are for specific purposes. If you need something
else, don't use them.
How can I best achieve this? Any help would be appreciated.
Create a table just for MAC addresses. Then, do:
authorize {
...
if (%{sql:SELECT mac FROM mac_table WHERE...}) {
# mac is known
}
else {
# mac is unknown
}
...
}
Run the SQL select by hand until you get it working, and then add it
to the configuration file.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
