(RADIATOR) MAC address filtering?
Jim Michael
JMichael at chesterfield.mo.us
Fri Jan 21 10:05:55 CST 2005
Hi Hugh-
Thanks for the info! However, I'm not quite sure where those fit in
with my current config. I'm already doing an <AuthBy FILE> to handle the
TTLS "anonymous" user... do I add another Authby FILE clause, or add
your code to my existing one, or? Here's my current config... any info
on where the new code should go to handle mac filtering would be
helpful!
Jim
AuthPort 1812
AcctPort 1813
Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
Trace 3
<Client DEFAULT>
Secret xxxxxx
DupInterval 0
</Client>
<Handler TunnelledByTTLS=1>
<AuthBy LDAP2>
Host ren.chesterfield.mo.us
AuthDN cn=admin,o=coc
AuthPassword xxxxxxxxxx
BaseDN ou=Users,o=Private
UsernameAttr cn
ServerChecksPassword
SearchFilter (&(cn=%1)(cocWLANAllowed=true))
# Debug 255
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
Filename /etc/radiator/users
EAPType TTLS
EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
EAPTLS_CertificateFile
/etc/radiator/certificates/star_chesterfield_mo_us.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
/etc/radiator/certificates/digicert.pem
EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>
</Handler>
>>> Hugh Irvine <hugh at open.com.au> 1/20/2005 9:43:26 PM >>>
Hello Jim -
You can use cascaded AuthBy clauses like this:
# define AuthBy clauses
<AuthBy FILE>
Identifier CheckMACAddress
Filename %D/addresses.mac
AuthenticateAttribute Calling-Station-Id
</AuthBy>
<AuthBy LDAP2>
Identifier CheckLDAP
.....
</AuthBy>
.....
#define Handlers
<Handler ....>
....
AuthBy CheckMACAddress
....
</Handler>
Then the file "addresses.mac" (in your DbDir directory) would contain
something like this:
# addresses.mac
1.1.1.1.1.1 Auth-Type = CheckLDAP
2.2.2.2.2.2 Auth-Type = CheckLDAP
3.3.3.3.3.3 Auth-Type = CheckLDAP
.....
The above assumes that the MAC address is in the Calling-Station-Id
attribute in the incoming request.
Also the addresses must be listed exactly as they appear in the
incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC
addresses).
Please let me know how you get on.
regards
Hugh
On 21 Jan 2005, at 07:41, Jim Michael wrote:
> Ok, I'm getting close to my ideal solution with Radiator... have it
> authenticating against our LDAP directory, etc. Now I want to add an
> additional layer of security by having Radiator check the client's
MAC
> address against a list of allowed addresses. For now we have so few
> wireless clients that its not necessary to do a database lookup...
> Radiator simply checking a file on the system for allowed MAC
addresses
> would be fine, but I cannot figure out how to do this. What I want
is
>
> 1) client tries to get on the WLAN and radiator checks the MAC
against
> a list
> 2) If MAC is allowed, go ahead and do the LDAP authentication, if
no,
> dump 'em.
>
> Can anyone provide pointers to such a setup?
>
> Jim
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list