AW: Combining ntlm_auth and mac address verification in freeradius
Hi Phil.
Thank you for your quick answer. That's exactly, what I need.
Where do you get this information?
It's really hard to retrieve usable information from wiki.freeradius.org...
Is there a good resource for this kind of information? I do have difficulties
to understand, how freeradius is processing a request and where I can hook my
own logic into it.
Cheers Mike
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org
[mailto:freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org] Im
Auftrag von Phil Mayers
Gesendet: Freitag, 15. Oktober 2010 10:10
An: freeradius-users@lists.freeradius.org
Betreff: Re: Combining ntlm_auth and mac address verification in freeradius
On 10/15/2010 08:06 AM, Langen Mike wrote:
Hi there.
I've got the problem that I want to combine active directory
authentication with mac address verification. So only user can log in
which hardware is listed in a text file or similar.
In the whole world wide web I didn't find a hint how to combine multiple
authentication methods in serial.
Really?
MAC authentication is really just a key/value lookup. You don't need
to combine two types of authentication - just do a lookup of user-mac
before doing mschap.
You haven't said, but I'm going to assume you're using 802.1x, with
PEAP/MS-CHAP via ntlm_auth.
In which case, you want something like this:
in eap.conf:
eap {
...
peap {
...
copy_request_to_tunnel = yes
}
}
in sites-enabled/inner-tunnel:
authorize {
...
# do e.g. an SQL lookup
update request {
Tmp-Integer-0 := %{sql:select 1 from allowed where
username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'
}
if (Tmp-Integer-0 == 1) {
# this combination is allowed
}
else {
# this one is not
reject
}
}
Obviously you'll need to have configured SQL and created the lookup
table for the above example to work. You could also do this with
rlm_passwd, LDAP or even a users file. You'll need to be a bit more
specific about your requirements if you want advice on that.
# now lookup user/mac
One possibility, but there I didn't find anything at all, seems to be
using the perl module. Is it possible to run a perl script before
ntlm_auth will take place ?
Thanks for your answer.
Greetings from Switzerland.
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Combining ntlm_auth and mac address verification in freeradius
On 15/10/10 10:13, Langen Mike wrote: Hi Phil. Thank you for your quick answer. That's exactly, what I need. Where do you get this information? It's really hard to retrieve usable information from wiki.freeradius.org... Mainly accumulated knowledge. Is there a good resource for this kind of information? I do have difficulties to understand, how freeradius is processing a request and where I can hook my own logic into it. The docs that come with the server cover a lot of this; have a look in particular at: doc/aaa doc/module_interface doc/configurable_failover If these are unclear, please say how, so they can be improved! FreeRadius is really quite simple in principle; a radius request consists of a list of attribute/value pairs. The request is received and two more empty lists are created - the config and reply items. The request is passed through the authorize section, with each module altering the request/config/reply items and perhaps terminating the processing. The request is then passed through the authenticate section obeying the Auth-Type variable in the config item. Finally it's passed through the post-auth section. FreeRadius 2.x adds if () statements as special modules so the processing can be condition (see man unlang) but it's all just a chain of modules under the hood. Very clever flexible! If you really want to understand the way it works, there's no substitute for slowly, carefully working through some config options, and watching the output from radiusd -X. The best way is: 1. build/install freeradius 2. Put the /etc/raddb directory under version control 3. Run some test authentications using radclient or eapol_test 4. Commit the working config 5. Change *one* thing 6. goto 3 ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Combining ntlm_auth and mac address verification in freeradius
Hi Phil. Thank you very much. That would do for now! Kind regards Mike -Ursprüngliche Nachricht- Von: freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org [mailto:freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Freitag, 15. Oktober 2010 12:03 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: Combining ntlm_auth and mac address verification in freeradius On 15/10/10 10:13, Langen Mike wrote: Hi Phil. Thank you for your quick answer. That's exactly, what I need. Where do you get this information? It's really hard to retrieve usable information from wiki.freeradius.org... Mainly accumulated knowledge. Is there a good resource for this kind of information? I do have difficulties to understand, how freeradius is processing a request and where I can hook my own logic into it. The docs that come with the server cover a lot of this; have a look in particular at: doc/aaa doc/module_interface doc/configurable_failover If these are unclear, please say how, so they can be improved! FreeRadius is really quite simple in principle; a radius request consists of a list of attribute/value pairs. The request is received and two more empty lists are created - the config and reply items. The request is passed through the authorize section, with each module altering the request/config/reply items and perhaps terminating the processing. The request is then passed through the authenticate section obeying the Auth-Type variable in the config item. Finally it's passed through the post-auth section. FreeRadius 2.x adds if () statements as special modules so the processing can be condition (see man unlang) but it's all just a chain of modules under the hood. Very clever flexible! If you really want to understand the way it works, there's no substitute for slowly, carefully working through some config options, and watching the output from radiusd -X. The best way is: 1. build/install freeradius 2. Put the /etc/raddb directory under version control 3. Run some test authentications using radclient or eapol_test 4. Commit the working config 5. Change *one* thing 6. goto 3 ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
