On Fri, Mar 18, 2005, Chris Knipe wrote: > Why not just use Calling-Station-Id as a check item???
In fact, the logins and MAC addresses are in a postgreSQL database, along with much other data about our users. I certainly could have used the postgresql module (and i will probably try later), but i used an external script partly out of lazyness, and partly because when a user fails authorization, i want to do and log different things depending on the cause of the failure (unknown MAC, MAC owned by another user, disabled account, ...) > > -- > Chris. > > > ----- Original Message ----- > From: "Alexandre Coninx" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Friday, March 18, 2005 3:54 PM > Subject: Re: authentication by mac adress, username and password > > > >On Thu, Mar 17, 2005, Markus Krause wrote: > >>hi all, > >> > >>i want to authenticate users at a cisco router by checking the > >>mac-adress, the > >>username and the password. (how) can this be done using freeradius? > > > >Hello, > > > >I manage to do that by first checking the MAC during the authorization > >process with an external script (using the exec module), and then > >authenticating the user with user/password with wathever method you > >want to use (in my case PEAP-MSCHAPv2 + ntlm_auth, but any other should > >work). > > > >My radiusd.conf looks like this : > > > >modules { > >... > >exec mac_check { > >wait = yes > >program = "/path/to/your/script.pl %{User-Name} %{Calling-Station-Id}" > >input_pairs = request > >output_pairs = reply > >packet_type = Access-Request > >... > >} > >} > > > >authorize { > >preprocess > >auth_log > >mac_check > >mschap > >eap > >} > > > >authenticate { > >Auth-Type MS-CHAP { > >mschap > >} > >eap > >} > > > > > >The script is a simple perl script that connects to our members > >database, checks if the MAC is registered and belongs to the > >member trying to connect, and refuse (exit 1;) or accept (exit 0;) > >authorization based on that. > > > >There is probably a cleaner way to do that, but it works well. > > > >-- > >Endy > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Endy "Il y a besoin d'une bonne raison pour pleurer, mais pas pour sourire." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
