(RADIATOR) MAC address filtering?

Jim Michael JMichael at chesterfield.mo.us
Fri Jan 21 10:05:55 CST 2005


Hi Hugh-

Thanks for the info! However, I'm not quite sure where those fit in
with my current config. I'm already doing an <AuthBy FILE> to handle the
TTLS "anonymous" user... do I add another Authby FILE clause, or add
your code to my existing one, or? Here's my current config... any info
on where the new code should go to handle mac filtering would be
helpful!

Jim

AuthPort 1812
AcctPort 1813
Foreground
LogStdout
LogDir	/var/log/radius
DbDir	/etc/radiator
Trace 		3

<Client DEFAULT>
	Secret	xxxxxx
	DupInterval 0
</Client>


<Handler TunnelledByTTLS=1>

	<AuthBy LDAP2>
		Host 		ren.chesterfield.mo.us
		AuthDN		cn=admin,o=coc
		AuthPassword	xxxxxxxxxx
		BaseDN		ou=Users,o=Private
		UsernameAttr 	cn
		ServerChecksPassword
		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
#		Debug 255
	</AuthBy>
</Handler>

<Handler>
	<AuthBy FILE>
		Filename /etc/radiator/users	
		EAPType TTLS
		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
		EAPTLS_CertificateFile
/etc/radiator/certificates/star_chesterfield_mo_us.crt
		EAPTLS_CertificateType PEM

		EAPTLS_PrivateKeyFile
/etc/radiator/certificates/digicert.pem
		EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
		EAPTLS_MaxFragmentSize 1000

		AutoMPPEKeys
	</AuthBy>
</Handler>


>>> Hugh Irvine <hugh at open.com.au> 1/20/2005 9:43:26 PM >>>

Hello Jim -

You can use cascaded AuthBy clauses like this:

# define AuthBy clauses

<AuthBy FILE>
	Identifier CheckMACAddress
	Filename %D/addresses.mac
	AuthenticateAttribute Calling-Station-Id
</AuthBy>

<AuthBy LDAP2>
	Identifier CheckLDAP
	.....
</AuthBy>

.....

#define Handlers

<Handler ....>
	....
	AuthBy CheckMACAddress
	....
</Handler>


Then the file "addresses.mac" (in your DbDir directory) would contain 
something like this:

# addresses.mac

1.1.1.1.1.1 Auth-Type = CheckLDAP

2.2.2.2.2.2 Auth-Type = CheckLDAP

3.3.3.3.3.3 Auth-Type = CheckLDAP

.....


The above assumes that the MAC address is in the Calling-Station-Id 
attribute in the incoming request.

Also the addresses must be listed exactly as they appear in the 
incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC 
addresses).

Please let me know how you get on.

regards

Hugh




On 21 Jan 2005, at 07:41, Jim Michael wrote:

> Ok, I'm getting close to my ideal solution with Radiator... have it
> authenticating against our LDAP directory, etc. Now I want to add an
> additional layer of security by having Radiator check the client's
MAC
> address against a list of allowed addresses. For now we have so few
> wireless clients that its not necessary to do a database lookup...
> Radiator simply checking a file on the system for allowed MAC
addresses
> would be fine, but I cannot figure out how to do this. What I want
is
>
> 1) client tries to get on the WLAN and radiator checks the MAC
against
> a list
> 2) If MAC is allowed, go ahead and do the LDAP authentication, if
no,
> dump 'em.
>
> Can anyone provide pointers to such a setup?
>
> Jim
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/ 
> Announcements on radiator-announce at open.com.au 
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list