Re: MAC authorisation (but not authentication) via LDAP
This is a discussion on Re: MAC authorisation (but not authentication) via LDAP within the FreeRADIUS Users forums, part of the Networking and Network Related category; Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>: > Hi. > > Probly just me not understanding... &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-25-2007
|
|||
|
|||
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
> Hi. > > Probly just me not understanding... > > What I want is for our switches to only allow access to MAC addresses in > our LDAP database. > > I don't want to store passwords on our LDAP host entries. > > I'm set up to check LDAP during authorisation, and it correctly returns > authorised / not authorised depending on whether the appropriate > attribute contains the right value. > > The trouble comes with authentication - either I set Auth-Type := > Accept, in which case and failed authorisation is overridden, or I allow > authentication to carry on against LDAP ( or System, or whatever ), in > which case it fails always and access is denied, even for authorised MACs. > > Is there a way to make the Authorisation part final and authoritative? > > > As I say, probly just being stoopid. > > > Mart > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-) regards markus +-----------------------------------------------------------------+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | | Computing Center of the Max-Planck-Institute of Biochemistry | +--------------------------------+--------------------------------+ | E-Mail: krause@biochem.mpg.de | Tel.: 089 - 89 40 85 99 | | markus.krause@mac.com | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: markus.krause@mac.com | +--------------------------------+--------------------------------+ ---------------------------------------------------------------------- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
