[RADIATOR] Rejection of access request if mac address in Sql table

Robin Breathe rbreathe at brookes.ac.uk
Mon Dec 7 10:09:40 CST 2009 

Alex,

We use the following for the functionality you describe:

{{{
# MAC address blacklisting
<AuthBy SQL>
        Identifier BLACKLIST
        IgnoreAccounting

        NoEAP
        NoDefault

        # Lookup MAC address (this becomes %0)
        AuthenticateAttribute Calling-Station-Id

        # Accept non-blacklisted clients
        AcceptIfMissing

        DBSource
dbi:Pg:dbname=%{GlobalVar:oxPsqlDb};host=%{GlobalVar:oxPsqlHost};port=%{GlobalVar:oxPsqlPort}
        DBUsername      %{GlobalVar:oxPsqlUser}
        DBAuth          %{GlobalVar:oxPsqlAuth}

        # PostgreSQL backend with macaddr type automatically deals
with format conversion
        AuthSelect      SELECT 'Reject:'||block_reason FROM
eduroam_blacklist WHERE client = ?
        AuthSelectParam %0
        AuthColumnDef 0, Auth-Type, check
</AuthBy>
<Handler>
        AuthBy STANDARDIZE
        AuthBy LOCAL-ACCT
        <AuthBy GROUP>
                AuthByPolicy ContinueUntilReject
                NoEAP
                AuthBy BLACKLIST
                AuthBy LOCAL-AUTH
        </AuthBy>

        RejectHasReason
        AuthLog ...
</Handler>
}}}

Regards,
Robin

2009/12/7 Alex Sharaz <A.Sharaz at hull.ac.uk>:
> Hi,
>
> I currently use a mysql database to authenticate our wired and wireless
> network users. At the moment, if we detect  an infected machine on our campus
> network, we change the radius password of that user and block network access
> until they've fixed their machine. What we'd like to do is change this
> slightly so that we block their access from the infected machine but allow
> them  access from any other one.
>
> What I've currently got is an authBy SQL statement with
>
> AuthSelect Select password from subscribers where username=%0
>
> AuthColumnDef 0,User-Password,check
>
>
> I sort of thinking that  i could meet the extra requirement of blocking access
> from a specific mac address with an authby group consisting of two authby sql
> statements.
>
> Statement 1 would check for the presence of the calling station maca address
> in a table called blockedmacs. If it exists, send an access-reject. If it
> doesn't, drop down to
>
> Statement 2 which implements the authby statement outlined above.
>
> My only problem is the 1st authby clause in the group. If I use a
> continueWhileAccept  statement to define whether to drop through to the second
> authby statement I need to have the 1st authby statement return an access
> accept if the mac address isn't in the blockedmacs table, which is the
> opposite of what it would do normally.
>
>
> How would i implement the 1st authby statement
>
> Rgds
> Alex
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>



-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

More information about the radiator mailing list