, please respond to the questions on my
earlier mails.)
Now, I am thinking of an extended (MAC-Auth) policy (rule set) like:
Rule 1: If in the LDAP host entry we have included a radiusNASIpAddress
value AND a radiusHint value, then authorize based on all, otherwise
reject. (No mobility allowed
On 24 Aug 2013, at 10:00, Nikolaos Milas nmi...@noa.gr wrote:
On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:
It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that
information.
Thanks Arran,
It was NAS-Port indeed. Strangely enough, this is not included either in
...where the three ldap instances above are identical except the filter which
is:
ldap_macauth:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
ldap_macauth_NAS_only:
filter =
the comparison in policy language.
Hmm, if I understand right, I could query once a custom attribute with
e.g. the value of 0/1/2 depending on the type of mac-auth we would like
to do.
Thus, two LDAP queries would suffice to check correctly the client in
all cases, where in my initial script we would
to pull the necessary
values into control attributes,
and then do the comparison in policy language.
Hmm, if I understand right, I could query once a custom attribute with e.g.
the value of 0/1/2 depending on the type of mac-auth we would like to do.
Thus, two LDAP queries would suffice
On 26/8/2013 2:15 μμ, Arran Cudbard-Bell wrote:
Unless you are querying different DNs for the different Mac-Auth types then
doing this is the wrong way to approach this.
the presence of the attributes in the LDAP object to dictate what type of
authorisation you're doing.
Thanks Arran,
I
On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:
It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that
information.
Thanks Arran,
It was NAS-Port indeed. Strangely enough, this is not included either in
ldap.attrmap or the freeradius schema. Shouldn't it (and other
On 24/8/2013 12:00 μμ, Nikolaos Milas wrote:
...and then I could simply use my *exact current configuration* by
simply changing the ldap filter to:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
...provided that I am storing
exec
attr_filter.accounting_response
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}
Tests went fine and I am able to run MAC-Auth successfully on a Cisco
2960 over FreeRadius with LDAP backend! Thanks FreeRadius people!
I have 3 main virtual servers
-3580-(single-untagged-VLAN)-Assignment
3. Can we configure in FreeRadius an auto email to an administrator
when there is a MAC-auth failure with the associated info (time, MAC
Address, NAS device, port)?
Yes, use rlm_exec in async mode and call sendmail or something similar.
Arran Cudbard
On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of NAS-IP-Address in the user object in
a custom attribute.
If the query expands to something other than a zero length string, the
attribute
On 23 Aug 2013, at 18:30, Nikolaos Milas nmi...@noa.gr wrote:
On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of NAS-IP-Address in the user object
in a custom attribute.
If the query
Hi,
I am using FreeRadius v2.2.0 on CentOS 6.4 x86_64.
I am trying to adapt Plain Mac-Auth as described at:
http://wiki.freeradius.org/guide/Mac-Auth to work work from LDAP.
(Note: The server is also used for eduroam and is going to be used for
802.1x too.)
My setup follows below
On 14 Aug 2013, at 11:02, Nikolaos Milas nmi...@noa.gr wrote:
Hi,
I am using FreeRadius v2.2.0 on CentOS 6.4 x86_64.
I am trying to adapt Plain Mac-Auth as described at:
http://wiki.freeradius.org/guide/Mac-Auth to work work from LDAP.
(Note: The server is also used for eduroam
Hello, I have configured freeradius for accept one host conection over host
mac address
This is the log, at the end appear the error:
Called-Station-Id = 00-90-0B-23-2E-BF:EquiposPortatiles
Calling-Station-Id = 98-0C-82-B5-00-F2
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
What's wrong?
Which version of the server are you using?
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Jun 21, 2013 at 01:23:28PM +0200, Roberto Ortega Ramiro wrote:
Hello, I have configured freeradius for accept one host conection over host
mac address
On the assumtion this is an instantation of 'files', then the
format for the file would be
98-0c-82-b5-00-f2Auth-Type := Accept
Thank you for your fast response.
I have found the problem, i have insert a space before the mac address.
Sorry and thank you for you time.
2013/6/21 Roberto Ortega Ramiro roberto.ort...@escuelassj.com
Hello, I have configured freeradius for accept one host conection over
host mac address
On 21 Jun 2013, at 12:55, Matthew Newton m...@leicester.ac.uk wrote:
On Fri, Jun 21, 2013 at 01:23:28PM +0200, Roberto Ortega Ramiro wrote:
Hello, I have configured freeradius for accept one host conection over host
mac address
On the assumtion this is an instantation of 'files', then the
Hi again.
Matthew, you are rigth, i have no Access-Accept.
I have this response:
Fri Jun 21 14:18:02 2013 : Info: [authorized_macs] expand: Device with
MAC Address %{Calling-Station-Id} authorized for network access - Device
with MAC Address 98-0c-82-b5-00-f2 authorized for network access
On 21 Jun 2013, at 13:29, Roberto Ortega Ramiro roberto.ort...@esj.es wrote:
Hi again.
Matthew, you are rigth, i have no Access-Accept.
Your NAS is configured wrong for Mac-Auth. It's attempting to start 802.1X
authentication, that EAP-Message is an Identity response for 'luna. borja'.
Do
...@freeradius.org
On 21 Jun 2013, at 13:29, Roberto Ortega Ramiro roberto.ort...@esj.es
wrote:
Hi again.
Matthew, you are rigth, i have no Access-Accept.
Your NAS is configured wrong for Mac-Auth. It's attempting to start 802.1X
authentication, that EAP-Message is an Identity response for 'luna
On Fri, Jun 21, 2013 at 02:56:57PM +0200, Roberto Ortega Ramiro wrote:
I'm trying to conect using AEP-TLS one host, and i was using one wrong user
and password for connect the host with his mac.
I have undertand that this is no posible. Right?
You can do EAP-TLS *and* validate the MAC address.
¿Is it posible to do a if sentense for validate the MAC address in
authorized_macs with one user in users file (or other site) and others
users can conect with hers user and password?
Thank you.
2013/6/21 Matthew Newton m...@leicester.ac.uk
On Fri, Jun 21, 2013 at 02:56:57PM +0200, Roberto
I'm not at work now, but.
This wil do that i want:
authorize_macs
if (ok) {
update control {
Auth-Type := files
}
} else {
eap
ldap
}
Thank you.
2013/6/21 Roberto
Hi, I have resolv my problem, i have create one user in users file validate
hosts whose mac address are in authorized_macs and i have the users and
passwords in ldap and this is my site-avaible/default file configuration in
the authorize section:
authorized_macs
if (ok) {
Use the example I gave you...
it works - many thanks for your support
Oliver
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sunday, February 24, 2013, Alan DeKok wrote:
Russell Mike wrote:
i also
came across where guys are discussing EAP and MAC authentication. i
could not conclude, if it is a better way of doing
MAC authentication using EAP.
To be clear: you don't. EAP is authentication. MAC
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu
s.org] On Behalf Of Russell Mike
Sent: Saturday, February 23, 2013 11:07 AM
To: FreeRadius users mailing list
Subject: MAC-Auth
Russell Mike wrote:
Thanks for guidelines. exactly, as you stated I simple want to store MAC
address somewhere compair against the request. Can they be in
radcheck?
I wouldn't do that. Just create your own table of MAC addresses. If
all you want is to list known MACs, you can do that with
On Sun, Feb 24, 2013 at 2:20 PM, Alan DeKok al...@deployingradius.comwrote:
Russell Mike wrote:
Thanks for guidelines. exactly, as you stated I simple want to store MAC
address somewhere compair against the request. Can they be in
radcheck?
I wouldn't do that. Just create your own
that against a
database of MACs.
** **
No clue how to do this, I just know it can be done.
David
** **
Dear David, thanks for attending to the request, what do you mean when you
say
one person doing something similar to what you are looking to do. Does
other do the MAC-Auth
-WirelessConnections; FreeRadius users mailing list
Subject: Re: MAC-Auth + Freeradius + MySQL Database
On Sun, Feb 24, 2013 at 1:55 PM, David Peterson
dav...@wirelessconnections.net wrote:
I know of one person doing something similar to what you are looking to do.
If your NAS sends
*Subject:* Re: MAC-Auth + Freeradius + MySQL Database
** **
** **
** **
On Sun, Feb 24, 2013 at 1:55 PM, David Peterson
dav...@wirelessconnections.net wrote:
I know of one person doing something similar to what you are looking to
do. If your NAS sends the MAC of the device
/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL
How to store MACs in MySQL database. Perhaps, i need to create additional table
to store MAC, Honestly, i am not sure how to go about it. Is there any
documentation that i may do NOT know of. and i can follow to finish the
setup.
Grate thanks
Russell Mike wrote:
i also
came across where guys are discussing EAP and MAC authentication. i
could not conclude, if it is a better way of doing
MAC authentication using EAP.
To be clear: you don't. EAP is authentication. MAC authentication
is just checking if the MAC address is in a
as soon as it's marked to
be
proxied.
Thank you for this quick reply.
We are using EAP-TLS computer-only authentication and additional MAC
Auth.
Both Common Name of certificates contain @ characters, like
machine-name@realm-local
machine-name@realm-to-proxy
Is it possible to use the realm
Oliver Warda wrote:
Is it possible to use the realm instead and should this be placed
within the users file?
Use the example I gave you, and search for @realm instead of @.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello everybody,
I'm using FR 2.1.12 on CentOS 6.3
802.1x and MAC Auth as described in WiKi is working fine.
Authentication is done local
Now, I have the demand to implement RADIUS Proxy also.
As I understand MAC Auth is done before RADIUS Proxy.
But I do not want to administrate about 5.000
Oliver Warda wrote:
Now, I have the demand to implement RADIUS Proxy also.
As I understand MAC Auth is done before RADIUS Proxy.
Yes.
But I do not want to administrate about 5.000 RADIUS Proxy clients in my
authorized_macs file (RADIUS Proxy is using 802.1x only).
Is there a way
I am setting up our Freeradius to do authentication for MAC address for
windows PC. This is to enable PCs to connect to the AD to access Domain
information just before Windows User Logon Screen. The PC is already
connected to a Cisco switch port which has been configured 802.1x.
I have
On 08/02/13 12:52, Tunde Ogedengbe wrote:
see from the log that the MAC addresses is checked and OK. But there is
an [eap] returns reject just after the mac address was successfully
checked. I guess I need a way to get radius to force an EAP accept
after successful checking of the MAC
Ok. Can you pls help with procedure for configuring pre-login on Windows
for 802.1x? Windows is sending packets to RADIUS as
host/machine-name.domain. I would like to have a dedicated userid/password
configured on windows for pre-login machine authentication.
'Tunde Ogedengbe
On 8 Feb 2013 13:18,
On 08/02/13 16:09, Tunde Ogedengbe wrote:
Ok. Can you pls help with procedure for configuring pre-login on Windows
for 802.1x? Windows is sending packets to RADIUS as
host/machine-name.domain. I would like to have a dedicated
userid/password configured on windows for pre-login machine
On Tue, Aug 21, 2012 at 10:45:43PM +0100, Franks Andy (RLZ) IT Systems Engineer
wrote:
Just an update : I do see something on the IOS interface :
RADIUS: AAA Unsupported Attr: ssid [263] 8
*May 17 16:47:01.236: RADIUS: 52 53 48 5F 57 69
: 21 August 2012 22:46
To: FreeRadius users mailing list
Subject: RE: Best way to cope with multiple SSIDs and MAC auth
Just an update : I do see something on the IOS interface :
RADIUS: AAA Unsupported Attr: ssid [263] 8
*May 17 16:47:01.236: RADIUS: 52 53 48 5F 57 69
Hi again,
Thanks for everyone's input on the last question I asked today.
I have another : we are running cisco 1100/1200 series Aps with multiple
SSIDs. Depending on ldap groups users are assigned a VLAN which
corresponds to the internal or DMZ based network. The issue is that if a
user is in
Hi,
Because I am not aware that the cisco IOS can send an “SSID” attribute to
the radius server (if someone knows how to do this PLEASE tell me!), I
yes, it does - the attribute will depend on model and IOS version - but
if you run the server in full debug mode then you will see the
and MAC auth
Hi,
Because I am not aware that the cisco IOS can send an “SSID” attribute to
the radius server (if someone knows how to do this PLEASE tell
me!), I
yes, it does - the attribute will depend on model and IOS version - but if you
run the server in full debug mode then you
: 21 August 2012 22:34
To: FreeRadius users mailing list
Subject: RE: Best way to cope with multiple SSIDs and MAC auth
Hi - thanks for the reply
I have a relatively new version of IOS and I can't see the attribute coming
through, either on freeradius or using the debug radius command on the AP
a simple MAC-Auth based network using HP 2610
switches and MSM640 wireless APs as radius clients. I've added the AP to
This is a matter of choice, but personally I would advise against using
MAC-auth on wireless. It provides illusory security, and 802.1x is
pretty easy on modern equipment. You call
Server: Debian 6 (Squeeze) 2.6.32-5-amd64
FreeRadius: 2.1.10 (Debian package)
Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP
MD5 and PAP.
I'm trying to set up a simple MAC-Auth based network using HP 2610
Hello All,
I have had this setup (http://wiki.freeradius.org/Mac-Auth) for a long
time and it has been working well. Now I am experiencing an issue with
the rewrite of the called station id to extract the SSID from the
wireless. Anyone know how I can update the rewrite called station id
function
On 14 Mar 2012, at 20:18, John Corps wrote:
Hello All,
I have had this setup (http://wiki.freeradius.org/Mac-Auth) for a long
time and it has been working well. Now I am experiencing an issue with
the rewrite of the called station id to extract the SSID from the
wireless. Anyone know how
://wiki.freeradius.org/Mac-Auth) for a long
time and it has been working well. Now I am experiencing an issue with
the rewrite of the called station id to extract the SSID from the
wireless. Anyone know how I can update the rewrite called station id
function to allow the SSID to have spaces? For example,
called
{
files
checkval
expiration
logintime
}
authenticate {
# nothing!! I know... but in fact I don't know what I can write
}
Can somebody help me? Thanks for all.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/MAC
I find the solution.
In fact, I forgot to set Cleartext-Password in the users file...
Thanks.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/MAC-auth-with-checkval-No-authenticate-method-Auth-Type-tp5450017p5450841.html
Sent from the FreeRadius - User mailing list
Arran Cudbard-Bell-5 wrote:
can anyone show me how to conf VLAN assign,mac-auth-bypass, and
redirect url?
For VLAN assignment see http://www.rfc-editor.org/rfc/rfc3580.txt, the
other features you mentioned are specific to your NAS model and vendor, so
I suggest you contact
hi all, can anyone show me how to conf VLAN assign,mac-auth-bypass, and
redirect url?thank you very much-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can anyone show me how to conf VLAN assign,mac-auth-bypass, and
redirect url?
For VLAN assignment see http://www.rfc-editor.org/rfc/rfc3580.txt, the other
features you mentioned are specific to your NAS model and vendor, so I suggest
you contact their support centre or read through
Hi Guys ,
Here is the thing , im trying to use Mac-Auth , I managed to get working
using authorized-macs files , although i need to use a mysql table witch i
already have with the ssid and mac-address fields and i need to add an
operator to expired macs , coz i work at a college campus
On Jul 7, 2011, at 9:05 PM, Paulo Maia wrote:
Hi Guys ,
Here is the thing , im trying to use Mac-Auth , I managed to get working
using authorized-macs files , although i need to use a mysql table witch i
already have with the ssid and mac-address fields and i need to add an
operator
Hi,
Hi Guys ,
Here is the thing , im trying to use Mac-Auth , I managed to get working
using authorized-macs files , although i need to use a mysql table� witch
i already have with the ssid and mac-address fields and i need to add an
operator to expired macs , coz i work
Paulo Maia phc.m...@gmail.com wrote:
Here is the thing , im trying to use Mac-Auth , I managed to get
working using authorized-macs files , although i need to use a mysql
table witch i already have with the ssid and mac-address fields and i
need to add an operator to expired macs , coz i
Believe me, collecting and managing MAC addresses is not something I
would wish on anyone.
I don't think so. It's helpful for managing switches to use for on
port mac-filtering
--
Best Regards, Shildyakov Alexey Vladimirovich
-
List info/subscribe/unsubscribe? See
On Jul 7, 2011, at 10:19 PM, Alexey Shildyakov wrote:
Believe me, collecting and managing MAC addresses is not something I
would wish on anyone.
I don't think so. It's helpful for managing switches to use for on
port mac-filtering
And can be done automagically with Mac-Auth - Mac-Auth
without enable 802.1x
in the client computer ?
On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Hi Guys ,
Here is the thing , im trying to use Mac-Auth , I managed to get
working
using authorized-macs files , although i need to use a mysql table�
witch
-address without enable 802.1x
in the client computer ?
On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey a.l.m.bu...@lboro.ac.ukwrote:
Hi,
Hi Guys ,
Here is the thing , im trying to use Mac-Auth , I managed to get
working
using authorized-macs files , although i need to use a mysql table
at 4:19 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk
wrote:
Hi,
Hi Guys ,
Here is the thing , im trying to use Mac-Auth , I managed to get
working
using authorized-macs files , although i need to use a mysql table�
witch
i already have with the ssid and mac-address fields and i
MAC-Auth has its place, but I agree with some others this isn’t the best fit.
MAC spoofing = easy. User gets new NIC or computer = often.
“You” don’t need to do anything on the client. How about you set a default
VLAN with restrictions, a captive portal of sorts. They don’t need to “login
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of Gary Gatten
Sent: Thursday, July 07, 2011 5:09 PM
To: 'FreeRadius users mailing list'
Subject: RE: Mac-Auth
MAC-Auth has its place, but I agree with some others this isn’t the best fit.
MAC spoofing = easy
+jake.sallee=umhb@lists.freeradius.org] *On
Behalf Of *Gary Gatten
*Sent:* Thursday, July 07, 2011 5:09 PM
*To:* 'FreeRadius users mailing list'
*Subject:* RE: Mac-Auth
** **
MAC-Auth has its place, but I agree with some others this isn’t the best
fit. MAC spoofing = easy. User gets new
On 06/21/2011 09:53 PM, g17jimmy wrote:
I've been looking at this for a day now and it seems like I'm close, but
something is not right. I have a freeradius server with an openldap backend
for MAC auth bypass. This system is just for test, but it is an essential
first step in my project
.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p4514243.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
with timestamp +60791
Going to the next request
Ready to process requests.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p4514401.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe
.
Admittedly this is not great security, but this is not going to be the case
for long.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p451.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List
On Wed, Jun 22, 2011 at 08:23:09AM -0700, g17jimmy wrote:
I guess I was too quick to call it, and it looks like the problem is still on
the NAS. You will see that the client first gets access using the MAC
address as the CSID, but at some point, the client or NAS decieded to
re-auth but this
I've been looking at this for a day now and it seems like I'm close, but
something is not right. I have a freeradius server with an openldap backend
for MAC auth bypass. This system is just for test, but it is an essential
first step in my project.
I'm using freeradius2-2.1.7-7.el5, freeradius2
I am still racking my brains over this...I am pointing more and more
at the AP but not sure why for some reason it works on a test ubuntu
server and not my debian server...I have been testing it based on
ethernet mac auth using the radius section on a switch and the debian
server and ubuntu server
John Corps wrote:
... I try and connect to the WiFi and it always times out.
Putting freeradius in debug mode shows nothing useful, it shows that
it's sending the access accept packet but the connection times out
Then blame the access point.
Also, MAC auth for WiFi sounds strange. Why
I was blaming the access point but it doesn't make sense that it works fine
on my ubuntu test server. It's as if its not sending the request fast enough
to the AP to send to the client to be accepted. I am racking my brains over
this one, its very strange... I am using mac auth so it is an open
machine was working perfect for mac auth but now this setup is not working.
I try and connect to the WiFi and it always times out. Putting freeradius in
debug mode shows nothing useful, it shows that it's sending the access
accept packet but the connection times out still. Here is a sample debug
and configuration on a new debian
machine with the addition of daloradius for easy configuration by other
members of the team. I am running latest freeradius 2.1.10. The ubuntu
machine was working perfect for mac auth but now this setup is not working.
I try and connect to the WiFi and it always times out
of the team. I am running latest freeradius 2.1.10. The ubuntu
machine was working perfect for mac auth but now this setup is not working.
I try and connect to the WiFi and it always times out. Putting freeradius in
debug mode shows nothing useful, it shows that it's sending the access
accept
Ok. I was just assuming that the FreeRadius Wiki was an authoritative
source, and if it's written there, there must be something I just wasn't
understanding that required it to be that way. When I get something
working correctly, shall I register for an account and update your wiki
page
rejecting them after you've accepted them. That
makes no sense.
Alan, thanks for the pointer, it works fine now.
I just found out that the FreeRadius wiki is *not* publicly editable.
Could whoever maintains it please update the Mac-Auth article at
http://wiki.freeradius.org/Mac-Auth to remove
On 03/29/2011 07:13 PM, Jason Antman wrote:
I just found out that the FreeRadius wiki is *not* publicly editable.
Too much spam :o(
Could whoever maintains it please update the Mac-Auth article at
http://wiki.freeradius.org/Mac-Auth to remove the parts that Alan said
make no sense
This makes MUCH more sense, thanks! Now the next (relatively
new-to-radius) person won't end up as confused as I was.
I have MAC auth working with a SQL data source and custom XLAT to check
for some special field values in SQL, based on a somewhat custom schema
(more from the one-row-per-MAC
On 03/29/2011 08:52 PM, Jason Antman wrote:
This makes MUCH more sense, thanks! Now the next (relatively
new-to-radius) person won't end up as confused as I was.
I have MAC auth working with a SQL data source and custom XLAT to check
for some special field values in SQL, based on a somewhat
Jason Antman wrote:
And in post-auth{}:
### snip ###
if(control:Auth-Type == 'CSID'){
# Authorization happens here
authorized_macs.authorize
if(!ok){
reject
Uh... why? If the user is authenticated, you shouldn't be rejecting him.
If I put a sql line before this, it
Hello,
I'm running FreeRADIUS 2.1.7 on CentOS 5, and trying to configure MAC
Auth Bypass. I got everything functioning correctly using the Mac-Auth
Wiki page as a guide, including placement of the actual CSID
authentication code in the post-auth section. However, I just enabled
SQL
Jason Antman wrote:
I'm running FreeRADIUS 2.1.7 on CentOS 5, and trying to configure MAC
Auth Bypass. I got everything functioning correctly using the Mac-Auth
Wiki page as a guide, including placement of the actual CSID
authentication code in the post-auth section. However, I just enabled
I'm referencing the Mac-Auth wiki page at:
http://wiki.freeradius.org/Mac-Auth
Alan DeKok wrote:
Jason Antman wrote:
I'm running FreeRADIUS 2.1.7 on CentOS 5, and trying to configure MAC
Auth Bypass. I got everything functioning correctly using the Mac-Auth
Wiki page as a guide, including
Hi
i m using freeradius 2.1.10
i have setup mac auth based authentication like it s written here
http://wiki.freeradius.org/Mac-Auth
it works quite well
my problems is now i want to combine that with huntgroups
i have put in my /etc/raddb/huntgroups
the following line
radfiltuxmacs NAS-IP
99% of my config authenticates against ldap. There are certain situations
(mainly authenticating our old phones) where I need to have mac auth as
well. Both methods are authenticating fine. The problem is that I would
like for freeradius to not search ldap when the if ((Service-Type ==
'Call
On 13/12/10 15:03, Rob Yamry wrote:
(output below), it runs the condition and regardless of the outcome it
performs a search against ldap for the mac, which will always fail and
causes unnecessary queries.
How can I accomplish this?
Use an else:
if (...) {
}
else {
ldap
}
-
List
Perfect, thanks.
if((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type := 'CSID'
}
}
else{
ldap
}
-
List info/subscribe/unsubscribe? See
Hello!
I tried to set up MAC authorization for testing purposes according to
the instructions at
http://wiki.freeradius.org/Mac-Auth.
The solution there almost worked, except for the
raddb/sites-available/default post-auth{} section.
The wiki contains the code:
if(control:Auth-Type
according to
the instructions at
http://wiki.freeradius.org/Mac-Auth.
The solution there almost worked, except for the
raddb/sites-available/default post-auth{} section.
The wiki contains the code:
if(control:Auth-Type == 'CSID'){
# Authorization happens here
authorized_macs.authorize
We are experiencing an issue where certain policies need to push down to
laptops before the user enters their credentials to authenticate to the
wireless network. We only have Radius/802.1x enabled on the wireless right
now. Is it possible to authenticate the device based on MAC address so the
1 - 100 of 177 matches
Mail list logo