Hi, we have deployed an OpenSource MAC based solution which optionally tied to FreeRadius. With this you can have better control of the MAC addresses that you have in your network. - For non 802.1x capable devices, we have the option of using "VMPS" or performing a MAC-Auth-Bypass if your switch allows it. - For 802.1x we use FreeRadius 1.1.3 configured to authenticate the user against a Windows Domain controller and after checking the user credentials we check for the MAC address to assign the Vlan. - A virtual machine has been released with the software needed to make it easy to test. You only have to download it and configure it. We have a MySQL backend and a Windows GUI & Web GUI for administering the MAC addresses that automagically come into the database. Please go to http://www.freenac.net and let us know what you think of our system.
Regards, Hector -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Collen Blijenberg Gesendet: Mittwoch, 29. November 2006 11:29 An: FreeRadius users mailing list Betreff: Re: Mac based auth Looks good, i was also wondering if this could be done with mysql as backend ?! Cheers, Collen Phil Mayers wrote: > [EMAIL PROTECTED] wrote: >>>> Could I also do: >>>> >>>> bob password = "neil", Calling-Station-Id != "0001....", >>>> Auth-Type := >>> Reject >>>> So that both pieces of information have to be present to be >>>> authenticated? >>> No, that would always reject the user. You could do this: >>> >>> bob Calling-Station-Id != "0001....", Auth-Type := Reject >>> >>> bob User-Password := "neil" >> >> Well thats too easy. :) >> >> >>> Can you instead use rlm_checkval like this: >>> >>> modules { >>> passwd user2allowedmacs { >>> filename = /etc/raddb/user2allowedmacs >>> format = "*User-Name:Calling-Station-Id" >>> hashsize = 100 >>> allowmultiplekeys = yes >>> } >>> checkval usermacs { >>> item-name = Calling-Station-Id >>> check-name = Calling-Station-Id >>> data-type = string >>> notfound-reject = yes >>> } >>> } >> >> Which file would the above be placed in and does it need to be placed >> in a certain area of the file or can it just be added to the bottom >> of the file? And > > It's a partial fragment of radiusd.conf - you would need to inspect > how the radiusd.conf hierarchial config works, and put the two module > definitions in along with anything else you need > >> when I see 'rlm_' I think realm which makes me think ldap or >> kerberos, neither of which I am using, will this be a problem? > > rlm == radius loadable module, nothing to do with realms (although > there is an rlm_realm for dealing with realms!) > >> >> >>> authorize { >>> preprocess >>> user2allowedmacs >>> usermacs >>> # other stuff >>> } >> >> So whatever I name my module I will have to add to the authorize >> stanza in the radius.conf file, correct? > > Yep > >> >>> /etc/raddb/user2allowedmacs: >>> >>> user1:001122334455 >>> user1:aabbccddeeff >>> user2:0123456789ab >>> >>> ...I think that ought to work? >> >> Thanks for the info, this is gold! >> >> Jon >> - List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
