Re: MAC authorisation (but not authentication) via LDAP

Markus Krause wrote:

> don't no if it is a good solution, but i just do this by setting the
> following in radiusd.conf:
>
> authenticate {
> ...
> Auth-Type LdapMAC {
> ok
> }
> ...
> }
>
> the Auth-Type is set in users file depending on huntgroups:
>
> DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
>
> i assume there are better/smarter sollutions as one can read "don't
> set Auth-Type" on many places but it works here ;-)

Sorry, but it's an awful suggestion. Don't do it, and certainly don't
recommend others do it. There's no need to go setting Auth-Type to
random values.

The correct way to do this is to reject unknown, not blindly accept known.

Example - you could modify the ldap group membership query to find
groups based on both the username and callingstationid:

groupmembership_filter = "(|
(&(objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id}))
(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
)"

Then in "ldap":

dn: cn=GoodMacs,dc=example,dc=com
objectClass: top
objectClass: GroupOfMacadds
member: 00:11:22:33:44:55
member: 66:77:88:99:aa:bb

Then in the "users" file:

DEFAULT Ldap-Group == "GoodMacs"
Fall-Through = No

DEFAULT Auth-Type := Reject
Reply-Message = "your mac is unknown"

There are lots of variations of this scheme.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html