Re: Attach mac address to username
Joachim Bloche wrote:
Would your suggestion be automatic or would I need to manually add the
attribute.
I think you can do it automatically, provided your NAS sends
Calling-Station-Id with the authentication request. In this case you
may rewrite the post-auth request to add the row in radcheck (see
sql.conf). But I'm quite new to freeradius, and there may be 2 issues
: I'm not sure wether it's possible to use an INSERT in post-auth, and
I'm not sure wether the NAS will send the calling-station-id with the
authentication-request (but if it doesn't, there will be no
solution...). Anyway, this will be easy to check, but I have no radius
server for the week-end.
If this doesn't work, then you'll have to use a trigger or any other
mean, in order to insert the row in radcheck when the first accounting
start for this user occurs. This would be less convenient, but still
not very complicated.
Joachim
Ok I don't know how to do it.
Am I after something like this and where do I call it in sql.conf
INSERT into ${authcheck_table} (id, UserName, Attribute, op, value)
values('', '%{SQL-User-Name}', 'Calling-Session-Id', '==',
'%{Called-Station-Id}')
Thanks
Shane
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attach mac address to username
eg: would I have to add the table.
radcheck
id - - - - - - - - 4567
UserName - - user1
Attribute - - - Calling-Session-Id
op - - - - - - - :=
Value - - - - - 000bcdfxxx
I think this example is OK, but the op which should be '==' (':='
always matches and sets a freeradius parameter, I don't think that's
what we're looking for).
Looking at radacct, I am receiving CallingStationID which appears to
be the mac of the connecting client.
You're right, it is Calling-Station-Id, not session... apologizes.
Would your suggestion be automatic or would I need to manually add the
attribute.
I think you can do it automatically, provided your NAS sends
Calling-Station-Id with the authentication request. In this case you
may rewrite the post-auth request to add the row in radcheck (see
sql.conf). But I'm quite new to freeradius, and there may be 2 issues
: I'm not sure wether it's possible to use an INSERT in post-auth, and
I'm not sure wether the NAS will send the calling-station-id with the
authentication-request (but if it doesn't, there will be no
solution...). Anyway, this will be easy to check, but I have no radius
server for the week-end.
If this doesn't work, then you'll have to use a trigger or any other
mean, in order to insert the row in radcheck when the first accounting
start for this user occurs. This would be less convenient, but still
not very complicated.
Joachim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attach mac address to username
Joachim Bloche wrote:
eg: would I have to add the table.
radcheck
id - - - - - - - - 4567
UserName - - user1
Attribute - - - Calling-Session-Id
op - - - - - - - :=
Value - - - - - 000bcdfxxx
I think this example is OK, but the op which should be '==' (':='
always matches and sets a freeradius parameter, I don't think that's
what we're looking for).
I seem to get these parameters mixed up all the time. must read doc's
again
Looking at radacct, I am receiving CallingStationID which appears to
be the mac of the connecting client.
You're right, it is Calling-Station-Id, not session... apologizes.
Would your suggestion be automatic or would I need to manually add the
attribute.
I think you can do it automatically, provided your NAS sends
Calling-Station-Id with the authentication request. In this case you
may rewrite the post-auth request to add the row in radcheck (see
sql.conf). But I'm quite new to freeradius, and there may be 2 issues
: I'm not sure wether it's possible to use an INSERT in post-auth, and
I'm not sure wether the NAS will send the calling-station-id with the
authentication-request (but if it doesn't, there will be no
solution...). Anyway, this will be easy to check, but I have no radius
server for the week-end.
If this doesn't work, then you'll have to use a trigger or any other
mean, in order to insert the row in radcheck when the first accounting
start for this user occurs. This would be less convenient, but still
not very complicated.
Joachim
I will perform some tests this week and see if I can nut this one out.
Thanks again for your help Joachim
Shane
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attach mac address to username
Is there a way to dynamically attach the mac of the users pc to the username who has logged in? This way I can stop people sharing the same username/password combination on different pc's. Using the post-auth requests, you can add a Calling-Session-Id for the concerned user in the radcheck table, only if doesn't already have one. This way, and provided your NAS sends this attribute with each authentication request, only the user with correct MAC address will be authorized. Regards, Joachim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attach mac address to username
Is there a way to dynamically attach the mac of the users pc to the username who has logged in? This way I can stop people sharing the same username/password combination on different pc's. Using the post-auth requests, you can add a Calling-Session-Id for the concerned user in the radcheck table, only if doesn't already have one. This way, and provided your NAS sends this attribute with each authentication request, only the user with correct MAC address will be authorized. Regards, Joachim Thanks for the reply Loachim, Would your suggestion be automatic or would I need to manually add the attribute. eg: would I have to add the table. radcheck id - - - - - - - - 4567 UserName - - user1 Attribute - - - Calling-Session-Id op - - - - - - - := Value - - - - - 000bcdfxxx Looking at radacct, I am receiving CallingStationID which appears to be the mac of the connecting client. Would this be a way to check if the user has logged in before and see if the mac address is the same as the original login? Then deny if username/mac combination is not the same. This would offer the self management I am hoping to achieve. Thanks Shane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
