因此,我们已让 EAP-PEAP over MSCHAP 正常工作。我想要做的是进行 MAC 地址检查,以确保人们不会将其凭据放入随机设备中。我知道 SCEP 会是更好的选择,但这就是我们现在的情况。
所以我注意到 mac 地址被传递给 FreeRadius 下Calling-Station-Id
(9) Received Access-Request Id 39 from 10.127.87.10:54900 to 10.128.0.13:11812 length 275
(9) User-Name = "jonathan.fisher"
(9) NAS-Identifier = "xxttzzbbeezz"
(9) Called-Station-Id = "XX-YY-ZZ-BB-AA-RR:xxx-eap-wifi"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Calling-Station-Id = "GG-HH-AA-22-77-PP"
(9) Connect-Info = "CONNECT 0Mbps 802.11a"
(9) Acct-Session-Id = "123456asdfaasdf"
(9) WLAN-Pairwise-Cipher = 1231234
(9) WLAN-Group-Cipher = 1231234
(9) WLAN-AKM-Suite = 1231234
(9) WLAN-Group-Mgmt-Cipher = 1231234
(9) Framed-MTU = 1400
我们当前的 LDAP 配置:
ldap {
server="ldaps://xxx.xxx.com"
port=636
tls {
ca_file=/usr/local/share/ca-certificates/xxx-ca.crt
}
identity="cn=freeradius,ou=robots,dc=xxx,dc=xxx,dc=com"
password="a well kept secret"
base_dn="ou=people,dc=xxx,dc=xxx,dc=com"
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope='sub'
}
group {
base_dn="${..base_dn}"
filter='(objectClass=inetOrgPerson)'
membership_attribute='memberOf'
scope='sub'
}
}
我很好奇是否有人使用过属性和 LDAP 过滤器的组合来允许某些人仅连接某些 mac 地址。谢谢!