Hi Phil. Thank you for your quick answer. That's exactly, what I need. Where do you get this information? It's really hard to retrieve usable information from wiki.freeradius.org...
Is there a good resource for this kind of information? I do have difficulties to understand, how freeradius is processing a request and where I can hook my own logic into it. Cheers Mike -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org [mailto:freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Freitag, 15. Oktober 2010 10:10 An: freeradius-users@lists.freeradius.org Betreff: Re: Combining ntlm_auth and mac address verification in freeradius On 10/15/2010 08:06 AM, Langen Mike wrote: > Hi there. > > I've got the problem that I want to combine active directory > authentication with mac address verification. So only user can log in > which hardware is listed in a text file or similar. > > In the whole world wide web I didn't find a hint how to combine multiple > authentication methods in serial. Really? MAC "authentication" is really just a key/value lookup. You don't need to "combine two types of authentication" - just do a lookup of user->mac before doing mschap. You haven't said, but I'm going to assume you're using 802.1x, with PEAP/MS-CHAP via ntlm_auth. In which case, you want something like this: in eap.conf: eap { ... peap { ... copy_request_to_tunnel = yes } } in sites-enabled/inner-tunnel: authorize { ... # do e.g. an SQL lookup update request { Tmp-Integer-0 := "%{sql:select 1 from allowed where username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'" } if (Tmp-Integer-0 == 1) { # this combination is allowed } else { # this one is not reject } } Obviously you'll need to have configured SQL and created the lookup table for the above example to work. You could also do this with "rlm_passwd", LDAP or even a "users" file. You'll need to be a bit more specific about your requirements if you want advice on that. # now lookup user/mac > > One possibility, but there I didn't find anything at all, seems to be > using the perl module. Is it possible to run a perl script before > ntlm_auth will take place ? > > Thanks for your answer. > > Greetings from Switzerland. > > Mike > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html