Re: Mac Auth against LDAP

Mon, 26 Aug 2013 04:35:15 -0700 

On 26 Aug 2013, at 11:39, Nikolaos Milas <[email protected]> wrote:

> On 26/8/2013 12:15 μμ, Arran Cudbard-Bell wrote:
> 
>> No. It's a really inefficient way of doing this.
> 
> Thanks Arran,
> 
> Yet, would it be logically/technically correct?

Sure.

> 
>> Use generic attribute maps or an update ldap schema to pull the necessary 
>> values into control attributes,
>> and then do the comparison in policy language.
> 
> Hmm, if I understand right, I could query once a custom attribute with e.g. 
> the value of 0/1/2 depending on the type of mac-auth we would like to do.
> 
> Thus, two LDAP queries would suffice to check correctly the client in all 
> cases, where in my initial script we would need 3 at best or 4 at worst.

Unless you are querying different DNs for the different Mac-Auth types then 
doing this is the wrong way to approach this.

the presence of the attributes in the LDAP object to dictate what type of 
authorisation you're doing.

Map the check items:

radiusNASIPAddress
radiusNASPort (add it to the default schema or use radiusHint instead)

to the check items NAS-IP-Address and NAS-Port

authorize {
    preprocess
    rewrite_calling_station_id

    ldap
    if (!ok && !updated) {
           reject
    }

    if (control:NAS-IP-Address) {
        if (control:NAS-IP-Address != 
"%{%{NAS-IP-Address}:-%{Packet-Src-IP-Address}}") {
            reject
        }

        if (control:NAS-Port && (control:NAS-Port != 
"%{%{NAS-Port}:-%{NAS-Port-ID}}")) {
            reject
        }
    }

    update control {
        Auth-Type := Accept
    }
}

Reject has the same effect as a return statement in the above.


> 
> The example would be to use a policy like:
> 
> set_mac_auth_type {
> update request {
> auth_type := 
> %{ldap_macauth:ldap:///ou=Nodes,dc=example,dc=com?macauthtype?sub?macAddress=%{Calling-Station-Id}})
> }
> }

You may as well use Autz-Type.

i.e. map an attribute macautztype to the checkItem autz-type

authorize {
    preprocess
    rewrite_calling_station_id

    ldap
    if (!ok && !updated) {
           reject
    }
    
    Autz-Type nas {
        # do stuff
    }

    Autz-Type nas_and_port {
        # do stuff
    }
}

You can then check the states of the various other control attributes inside 
one of those Autz-Type sections.

Policy execution will effectively ignore Autz-Type sections the first pass 
through authorize, and then loop back round
and enter one of them.


Arran Cudbard-Bell <[email protected]>
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to