(Solved) Re: MAC authorisation (but not authentication) via LDAP

This is a discussion on (Solved) Re: MAC authorisation (but not authentication) via LDAP within the FreeRADIUS Users forums, part of the Networking and Network Related category; Martin Whinnery wrote: > Markus Krause wrote: > >> Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk&...


Go Back   Usenet Forums > Networking and Network Related > FreeRADIUS Users

Reload this Page (Solved) Re: MAC authorisation (but not authentication) via LDAP

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-25-2007
Martin Whinnery
 
Posts: n/a
Default (Solved) Re: MAC authorisation (but not authentication) via LDAP
Martin Whinnery wrote:
> Markus Krause wrote:
>
>> Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
>>
>>
>>
>>> Hi.
>>>
>>> Probly just me not understanding...
>>>
>>> What I want is for our switches to only allow access to MAC addresses in
>>> our LDAP database.
>>>
>>> I don't want to store passwords on our LDAP host entries.
>>>
>>> I'm set up to check LDAP during authorisation, and it correctly returns
>>> authorised / not authorised depending on whether the appropriate
>>> attribute contains the right value.
>>>
>>> The trouble comes with authentication - either I set Auth-Type :=
>>> Accept, in which case and failed authorisation is overridden, or I allow
>>> authentication to carry on against LDAP ( or System, or whatever ), in
>>> which case it fails always and access is denied, even for authorised MACs.
>>>
>>> Is there a way to make the Authorisation part final and authoritative?
>>>
>>>
>>> As I say, probly just being stoopid.
>>>
>>>
>>> Mart
>>>
>>>
>>>
>>>
>> don't no if it is a good solution, but i just do this by setting the
>> following in radiusd.conf:
>>
>> authenticate {
>> ...
>> Auth-Type LdapMAC {
>> ok
>> }
>> ...
>> }
>>
>> the Auth-Type is set in users file depending on huntgroups:
>>
>> DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
>>
>> i assume there are better/smarter sollutions as one can read "don't
>> set Auth-Type" on many places but it works here ;-)
>>
>> regards
>> markus
>>
>>
>>
> Thanks Markus,
>
> the problem seems to be that the authorisation pass returns "notfound",
> whereas I want it to "reject", as if it found an entry in LDAP without
> the appropriate attribute.
>
> Mart
>
>
This was exactly the problem. What I've done is created an exec module,
which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning
non-zero if there's a match. So authorization *fails* rather than
succeeds with 'not found'.

I think.

Anyway, it works.

Thanks for all your help.

Mart

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:01 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0