Now that we have groups set up, let’s give the teachers the ability to create a Wiki. Select Wiki in the sidebar of the Server app. Click the Edit Permissions button. Select 'only some users' from the 'Allow Wiki creation for' menu. Click the + button below the list of users. Begin typing Teachers. When using a proper Mac OS X server one can configure a NetBoot device/server in System Preferences - Startup Disk. See here: Unfortunatelly our previously configured NetBoot ISC DHCP server is not showing up in that dialog. It's just one simple thing preventing that.

Plain Mac-Auth

This first example assumes the server is only performing mac-auth.It checks MAC addresses against a users style file.

raddb/policy.conf

Most NASes usually send the MAC address in the Calling-Station-ID attribute.There are several common formats:

• 00:11:22:33:44:55
• 00-11-22-33-44-55
• 0011.2233.4455

Again, depending on the NAS, these can be either upper-case or lower-case hex.

It is sensible to re-format these into a single format at the server. Thefollowing policy is available in FreeRADIUS version 3 onwards, in[[raddb/policy.d/canonicalization https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/policy.d/canonicalization.

raddb/mods-available/files

Create a new instance of the files module to read a new file of permitted MAC addresses.

raddb/authorized_macs

This is the list of permitted MAC addresses, as read by the new files configuration above.

raddb/sites-available/default

Finally, call the canonicalisation policy and new files module from the authorize section:

Mac-Auth or 802.1x

This example shows how to mix 802.1x and mac-auth. The example does the following:

1. If not using 802.1x, mac address must be known;
2. If using 802.1x, anyone with valid credentials can login (no mac address restrictions).

The files raddb/policy.conf, raddb/mods-available/files and raddb/authorized_macsare the same as the plain mac-auth examples above.

raddb/sites-available/default

Mac-Auth and 802.1x

This example shows how to perform both 802.1x and mac-auth. The example does the following: The word bible software for mac.

1. If not using 802.1x, mac address must be known
2. If using 802.1x, mac address must be known and valid credential given

The files raddb/policy.conf, raddb/mods-available/files and raddb/authorized_macsare the same as the plain mac-auth examples above.

raddb/sites-available/default

Web-Auth safe Mac-Auth

Although this configuration is more complex, you should probably use it if the server is going to process both web-auth and mac-auth requests, here is the rationale:

• Some NAS vendors allow both Web-Auth and Mac-Auth to occur on the same NAS on the same port, and do not provide attributes to distinguish between the two.
• This allows users to enter a username and password in the format of a Mac-Address and the RADIUS server would assume the NAS was requesting Mac-Auth.
• This makes Mac-Spoofing even more trivial as the Mac-Address of the NIC doesn't need to be overridden (not every OS/NIC supports this).
• Where a site implements Web-Auth for guest wireless connections, and Mac-Auth for wired connections, it allows malicious users to get wireless access by using Mac formatted credentials (If the policy does not check NAS-Port-Type).

This configuration attempts to prevent this kind of spoofing:

• Checks for the presence of a Service-Type 'Call-Check' AVP as an explicit indication that the NAS wants to do Mac-Auth. If your NAS sends this in Access-Request packets, you should remove the User-Name =~ /^%{Calling-Station-ID}$/i sub-condition from the authorize section.
• Verifies that the CHAP-Password attribute matches the Calling-Station-ID of the station - this prevents users from spoofing macs via the web form.

Note

For this configuration to work, you must configure the password format for Mac-Auth to use the same octet separator as the Calling-Station-ID attribute.

raddb/policy.conf

As per example 1

raddb/modules/file

Old pontiac vin numbers. As per example 1

raddb/authorized_macs

As per example 1

raddb/sites-available/default

Additional modifications

Mac-Auth authorisation by SSID

Follow any of the recipes above and then make the following modifications.

Note: The recipe below will work with any NAS that includes the SSID in the Called-Station-ID string with the format : e.g. 00-11-22-33-44-55:MY_SSID_1. There is no standard for this, and vendors may include the SSID in its own vendor specific attribute (VSA). If unsure, run the server in debug mode (-X) and check the contents of incoming requests.

If your vendor's NAS uses a VSA, omit the call to 'rewrite_called_station_id', do not add the additional attributes to the dictionary, and insert that VSA into the key attribute in place of '%{Called-Station-SSID}' e.g. key = '%{VENDOR_SSID_VSA}.%{Calling-Station-ID}'.

raddb/dictionary

Use next free attribute number between 3000-4000 and insert the following definition.

raddb/policy.conf

Add the following policy stanza to policy.conf.

raddb/sites-available/default authorize

Add the a module call for 'rewrite_calling_station_id' to the authorize section directly above the call to 'rewrite_calling_station_id'.

raddb/modules/file

modify the key attribute of the authorized_macs files instance

raddb/authorized_macs

Entries should now be in the following format.

Mac-Auth authorisation by SSID SQL

raddb/dictionary

As above.

raddb/policy.conf

As above.

raddb/sites-available/default authorize

Add the a module call for 'rewrite_calling_station_id' to the authorize section directly above the call to 'rewrite_calling_station_id'.