Powered by Jitbit .Net Forum free trial version. dismiss

HomeInstallation

Installation Issues

MAC auth after User Login Messages in this topic - RSS

jaceatoney
jaceatoney
Posts: 2


12.09.2017
jaceatoney
jaceatoney
Posts: 2
Hi all,

Please link me if this has been asked before.

I've seen guides for strict MAC auth by adding each MAC as the username. What I want to do is a little different than that.

I want to authenticate users by login/password for 24 hours. Easy enough with Success-Reply Session-Timeout = 66535. However, I want to take the called-station-id from that successful authentication and then be able to MAC auth (Check called-station-id or somehow have called-station-id become a username?) for 24 hours. Reason being my controller may clear out a session on idle but then I don't want to have my user log back in when they reassociate (within that 24 hours).

Any guidance would be greatly appreciated.

Thanks,
Jace
0 link
Admin
Admin
Administrator
Posts: 4992


13.09.2017
Admin
Admin
Administrator
Posts: 4992
Hi,

TekRADIUS can dynamically generate a user profile as User-Name = Calling-Station-Id this can be accomplished by adding External-Executable and executing trcli.exe under TekRADIUS application directory. You can pass Calling-Station-Id (ietf|31) as parameter to trcli.exe. Please see TekRADIUS manual for trcli operation and External-Executable usage.

Creation a user profile will not be enough since client will be authenticated with same username / password at re-connection. You need to have a user-profile named default and have External-Executable as a check attribute in this profile. You need to create a script or application which will check existence of a user profile which User-Name = Received Calling-Station-Id.

Best regards,

Yasin KAPLAN
0 link
jaceatoney
jaceatoney
Posts: 2


13.09.2017
jaceatoney
jaceatoney
Posts: 2
Thank Yasin for your awesome support.

I need to generate the user profile (MAC) only on a Success. It doesn't seem I can utilize External-Executable on Success-Reply.

Secondly, the user will be authenticated with username(bob@bob.com),password(xyz) the first time. The second time they will need to be authenticated with the dynamically created profile username(MAC aa:bb:cc:dd:ee:ff),password(aa:bb:cc:dd:ee:ff).

Thirdly, I'll have to come up with a script to clear the MAC account after a set period of time. Any tips on this as well?

Thanks!
0 link
Admin
Admin
Administrator
Posts: 4992


13.09.2017
Admin
Admin
Administrator
Posts: 4992
Hi,


External-Executable can be added as "Check" attribute to user or group profiles. TekRADIUS evaluates returned DOS error level code and if it is 0 (Zero) it's assumed that authentication is successful.
You can remove User-Password (ietf|2) from the user profile and check it through External-Executable. This means you need to keep username and password pairs in another table which your executable or script
will fetch from.


A similar script can be used to check existence of MAC address in a TekRADIUS users table or another table and this script can return 0 if MAC address found. This script must be invoked by External-Executable in a user profile
named default.


Best regards,


Yasin KAPLAN
0 link






Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software