Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

MAC Address and Username Binding on FreeRADIUS

434 views
Skip to first unread message

syharash

unread,
Apr 12, 2011, 6:11:51 AM4/12/11
to
Hi,

My FreeRadius is working fine, my wireless clients are able to authenticate
with username and password from the /etc/raddb/users file and dynamic vlan
assignment is working fine too. Need to now configure to restrict a user to
get authenticated only from a single mac address, so the dynamic vlan
assignment is restricted to that user only from its authorized mac address.
Please help. I tried following the How-to guide but have not been able to
get it working. please help. I have attached my configuration files for your
reference, please let me know if how to go about doing it.

http://freeradius.1045715.n5.nabble.com/file/n4297874/authorize_macs
authorize_macs
http://freeradius.1045715.n5.nabble.com/file/n4297874/default%5Bsites-available%5D
default%5Bsites-available%5D
http://freeradius.1045715.n5.nabble.com/file/n4297874/eap.conf eap.conf
http://freeradius.1045715.n5.nabble.com/file/n4297874/files files
http://freeradius.1045715.n5.nabble.com/file/n4297874/policy.conf
policy.conf
http://freeradius.1045715.n5.nabble.com/file/n4297874/radiusd.conf
radiusd.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/users
users

--
View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-Address-and-Username-Binding-on-FreeRADIUS-tp4297874p4297874.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Christ Schlacta

unread,
Apr 12, 2011, 1:32:52 PM4/12/11
to
SO far as I know, there is no good way to automatically add a mac
address to a user entry, or an user entry to a mac80211 entry on first
connect. the UNLANG to ensure that the mac address matches for a
validated account is simple however, and you should have no issue
figuring that out. see modules/checkval for an example.

You can, however, easily run a script to watch the output for successful
auth attempts with no mac<-->user mapping, and have your script add that
mapping. I find it's usually better, however, to just have someone
manually inject the mapping.

are you trying to lock a single laptop to a single user, or a single
user to a single laptop? if this is an environment where people can
provide their own hardware, you'd be better off not locking them in, but
instead just correlating them, as many people can have more than one
laptop. additionally, in today's modern age of multi-user systems, many
people can share a single laptop as well, so you should also be aware of
that.

good luck!

Thor Spruyt

unread,
Apr 12, 2011, 6:07:19 PM4/12/11
to
Hi,

You could use a huntgroup for the MAC addresses and then define what to do for that huntgroup.

Thor.

syharash

unread,
Apr 13, 2011, 8:40:11 AM4/13/11
to
I am trying to lock a single user to a single laptop.

--
View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-Address-and-Username-Binding-on-FreeRADIUS-tp4297874p4300485.html

0 new messages