(RADIATOR) MAC address filtering?

Hugh Irvine hugh at open.com.au
Mon Jan 24 16:08:03 CST 2005 

Hello Jim -

As mentioned in my previous mail (shown below) the contents of the file 
used for the AuthBy FILE reference the AuthBy LDAP2 clause.

>>
>> Then the file "addresses.mac" (in your DbDir directory) would
> contain
>> something like this:
>>
>> # addresses.mac
>>
>> 1.1.1.1.1.1 Auth-Type = CheckLDAP
>>
>> 2.2.2.2.2.2 Auth-Type = CheckLDAP
>>
>> 3.3.3.3.3.3 Auth-Type = CheckLDAP
>>
>> .....
>>
>>
>> The above assumes that the MAC address is in the Calling-Station-Id
>> attribute in the incoming request.
>>
>> Also the addresses must be listed exactly as they appear in the
>> incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC
>> addresses).

BTW - when you are having problems it is much easier for me to see what 
is going on if you send me a copy of the configuration file (no 
secrets) together with a trace 4 debug showing what is happening.

regards

Hugh


On 25 Jan 2005, at 04:04, Jim Michael wrote:

> Hi Hugh... the config below does not work. When using it, on the 
> console
> I see
>
> INFO: Access rejected for user jimm
> INFO: Access rejected for user anonymous
>
> It seems like the Authby LDAP2 section is never even being calledm and
> instead its looking for user "jimm" in the file. Indeed, when I look at
> the config, I don't see HOW LDAP2 gets called? Nothing in the rest of
> the config file references "CheckLDAP", which is the identifier for 
> that
> authby clause. Your config seems to be saying "If the request is
> tunnelled by TTLS, then do AuthBy CHeckMacAddress", which does not seem
> correct. I need to do *Authby LDAP2* for the tunnelled request, and 
> just
> check the mac address separately, PRIOR to that.
>
> Am I missing something obvious?
>
> Jim
>
>>>> Hugh Irvine <hugh at open.com.au> 1/21/2005 7:34:25 PM >>>
>
> Hello Jim -
>
> Something like this:
>
>
> AuthPort 1812
> AcctPort 1813
> Foreground
> LogStdout
> LogDir	/var/log/radius
> DbDir	/etc/radiator
> Trace 		3
>
> <Client DEFAULT>
> 	Secret	xxxxxx
> 	DupInterval 0
> </Client>
>
> # define AuthBy clauses
>
> <AuthBy FILE>
> 	Identifier CheckMACAddress
> 	Filename %D/addresses.mac
> 	AuthenticateAttribute Calling-Station-Id
> </AuthBy>
>
> <AuthBy LDAP2>
> 	Identifier CheckLDAP
> 	Host 		ren.chesterfield.mo.us
> 	AuthDN		cn=admin,o=coc
> 	AuthPassword	xxxxxxxxxx
> 	BaseDN		ou=Users,o=Private
> 	UsernameAttr 	cn
> 	ServerChecksPassword
> 	SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> #	Debug 255
> </AuthBy>
>
> # define Handlers
>
> <Handler TunnelledByTTLS=1>
> 	AuthBy CheckMACAddress
> </Handler>
>
> <Handler>
> 	<AuthBy FILE>
> 		Filename /etc/radiator/users	
> 		EAPType TTLS
> 		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> 		EAPTLS_CertificateFile
> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> 		EAPTLS_CertificateType PEM
>
> 		EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/digicert.pem
> 		EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
> 		EAPTLS_MaxFragmentSize 1000
>
> 		AutoMPPEKeys
> 	</AuthBy>
> </Handler>
>
>
> Please let me know how you get on.
>
> There are other variations as well.
>
> regards
>
> Hugh
>
>
> On 22 Jan 2005, at 03:05, Jim Michael wrote:
>
>> Hi Hugh-
>>
>> Thanks for the info! However, I'm not quite sure where those fit in
>> with my current config. I'm already doing an <AuthBy FILE> to handle
>
>> the
>> TTLS "anonymous" user... do I add another Authby FILE clause, or add
>> your code to my existing one, or? Here's my current config... any
> info
>> on where the new code should go to handle mac filtering would be
>> helpful!
>>
>> Jim
>>
>> AuthPort 1812
>> AcctPort 1813
>> Foreground
>> LogStdout
>> LogDir	/var/log/radius
>> DbDir	/etc/radiator
>> Trace 		3
>>
>> <Client DEFAULT>
>> 	Secret	xxxxxx
>> 	DupInterval 0
>> </Client>
>>
>>
>> <Handler TunnelledByTTLS=1>
>>
>> 	<AuthBy LDAP2>
>> 		Host 		ren.chesterfield.mo.us
>> 		AuthDN		cn=admin,o=coc
>> 		AuthPassword	xxxxxxxxxx
>> 		BaseDN		ou=Users,o=Private
>> 		UsernameAttr 	cn
>> 		ServerChecksPassword
>> 		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
>> #		Debug 255
>> 	</AuthBy>
>> </Handler>
>>
>> <Handler>
>> 	<AuthBy FILE>
>> 		Filename /etc/radiator/users	
>> 		EAPType TTLS
>> 		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
>> 		EAPTLS_CertificateFile
>> /etc/radiator/certificates/star_chesterfield_mo_us.crt
>> 		EAPTLS_CertificateType PEM
>>
>> 		EAPTLS_PrivateKeyFile
>> /etc/radiator/certificates/digicert.pem
>> 		EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
>> 		EAPTLS_MaxFragmentSize 1000
>>
>> 		AutoMPPEKeys
>> 	</AuthBy>
>> </Handler>
>>
>>
>>>>> Hugh Irvine <hugh at open.com.au> 1/20/2005 9:43:26 PM >>>
>>
>> Hello Jim -
>>
>> You can use cascaded AuthBy clauses like this:
>>
>> # define AuthBy clauses
>>
>> <AuthBy FILE>
>> 	Identifier CheckMACAddress
>> 	Filename %D/addresses.mac
>> 	AuthenticateAttribute Calling-Station-Id
>> </AuthBy>
>>
>> <AuthBy LDAP2>
>> 	Identifier CheckLDAP
>> 	.....
>> </AuthBy>
>>
>> .....
>>
>> #define Handlers
>>
>> <Handler ....>
>> 	....
>> 	AuthBy CheckMACAddress
>> 	....
>> </Handler>
>>
>>
>> Then the file "addresses.mac" (in your DbDir directory) would
> contain
>> something like this:
>>
>> # addresses.mac
>>
>> 1.1.1.1.1.1 Auth-Type = CheckLDAP
>>
>> 2.2.2.2.2.2 Auth-Type = CheckLDAP
>>
>> 3.3.3.3.3.3 Auth-Type = CheckLDAP
>>
>> .....
>>
>>
>> The above assumes that the MAC address is in the Calling-Station-Id
>> attribute in the incoming request.
>>
>> Also the addresses must be listed exactly as they appear in the
>> incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC
>> addresses).
>>
>> Please let me know how you get on.
>>
>> regards
>>
>> Hugh
>>
>>
>>
>>
>> On 21 Jan 2005, at 07:41, Jim Michael wrote:
>>
>>> Ok, I'm getting close to my ideal solution with Radiator... have it
>>> authenticating against our LDAP directory, etc. Now I want to add
> an
>>> additional layer of security by having Radiator check the client's
>> MAC
>>> address against a list of allowed addresses. For now we have so few
>>> wireless clients that its not necessary to do a database lookup...
>>> Radiator simply checking a file on the system for allowed MAC
>> addresses
>>> would be fine, but I cannot figure out how to do this. What I want
>> is
>>>
>>> 1) client tries to get on the WLAN and radiator checks the MAC
>> against
>>> a list
>>> 2) If MAC is allowed, go ahead and do the LDAP authentication, if
>> no,
>>> dump 'em.
>>>
>>> Can anyone provide pointers to such a setup?
>>>
>>> Jim
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database
> independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like
> systems.
>>
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list