Re: Mac based auth

jonr@destar.net wrote:
> Quoting Alan DeKok <aland@deployingradius.com>:
>
>
>> And yes, I cover all of this in my
>> book, which will be done real soon now...
>
> This is the book I am waiting to read. The O'Reilly book is a good primer but
> really doesn't get to the meat of what Radius can do.
>
>
>> You can do:
>>
>> bob Calling-Station-Id != "0001....", Auth-Type := Reject
>>
>
> Could I also do:
>
> bob password = "neil", Calling-Station-Id != "0001....", Auth-Type := Reject
>
> So that both pieces of information have to be present to be authenticated?

No, that would always reject the user. You could do this:

bob Calling-Station-Id != "0001....", Auth-Type := Reject

bob User-Password := "neil"

Can you instead use rlm_checkval like this:

modules {
passwd user2allowedmacs {
filename = /etc/raddb/user2allowedmacs
format = "*User-Name:Calling-Station-Id"
hashsize = 100
allowmultiplekeys = yes
}
checkval usermacs {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = yes
}
}

authorize {
preprocess
user2allowedmacs
usermacs
# other stuff
}

/etc/raddb/user2allowedmacs:

user1:001122334455
user1:aabbccddeeff
user2:0123456789ab

....I think that ought to work?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html