From owner-freebsd-net Tue Sep 19 9:18:47 2000 Delivered-To: freebsd-net@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id C907E37B424 for ; Tue, 19 Sep 2000 09:18:44 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id e8JGIBX15023; Tue, 19 Sep 2000 09:18:11 -0700 (PDT) Received: from bubba.whistle.com( 207.76.205.7) by whistle.com via smap (V2.0) id xma015013; Tue, 19 Sep 2000 09:17:56 -0700 Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.3) id JAA03658; Tue, 19 Sep 2000 09:17:56 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200009191617.JAA03658@bubba.whistle.com> Subject: Re: netgraph based MAC authentication In-Reply-To: <39C74264.FF6D5DF@elischer.org> "from Julian Elischer at Sep 19, 2000 03:39:32 am" To: Julian Elischer Date: Tue, 19 Sep 2000 09:17:56 -0700 (PDT) Cc: Archie Cobbs , Ben Schumacher , freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Julian Elischer writes: > > > I'm working on a project where I need to be able to authenticate people by > > > their MAC address against a RADIUS server. While looking into the best way > > > to develop this, I starting toying around with netgraph and think it is the > > > perfect framework for what I'm trying to do. Basically what I'm going to > > > need to do (AFAIK) is divert the packets coming from one ethernet card > > > (dc0) to my netgraph node, verify their MAC address, and then push their > > > packet on its way. However, I'm still not entirely certain how to > > > implement this. > > > > You might be able to do this without writing your own node. > > Just use ng_bpf(4) and maintain the BPF program to match the > > MAC addresses you want to accept. > > I haven't yet been able to work out how to set rules into > it.... ( I guess you need to get the compiled bpf program > from tcpdump and somehow load it into the node, > but I don't see a way of doing that yet) For an example of how to do it, load the net/mpd-netgraph port on your machine and look at the "gDemandProg" variable in the file src/ngfunc.c. This example shows a static BPF program (to determine if an outgoing packet consitutes "demand") but you could easily write your own "assembler" to generate the BPF program dynamically. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message