On 26/8/2013 2:15 μμ, Arran Cudbard-Bell wrote:
Unless you are querying different DNs for the different Mac-Auth types then
doing this is the wrong way to approach this.
the presence of the attributes in the LDAP object to dictate what type of
authorisation you're doing.
Thanks Arran,
I tried and tested all scenarios with your (former) suggestion and it
worked flawlessly as:
ldap_macauth
if (!ok && !updated) {
reject
}
if (control:NAS-IP-Address) {
if (control:NAS-IP-Address != "%{NAS-IP-Address}") {
reject
}
if (control:NAS-Port && (control:NAS-Port != "%{NAS-Port}")) {
reject
}
}
update control {
Auth-Type := Accept
}
Thanks so much. Correctly using the policy language is not so obvious
and it would take me long to figure out.
Finally, one finishing touch:
Can we use the new DHCP functionality to assign an IP address (stored in
the host's LDAP entry) to a correctly authenticated host?
-OR-
Can we check the IP address being used by the authenticated host,
compare it against a stored IP Address in the host's LDAP entry, and
deny access if there is a mismatch?
Best regards,
Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
