(RADIATOR) MAC address filtering?

Hugh Irvine hugh at open.com.au
Fri Jan 21 19:34:25 CST 2005 

Hello Jim -

Something like this:


AuthPort 1812
AcctPort 1813
Foreground
LogStdout
LogDir	/var/log/radius
DbDir	/etc/radiator
Trace 		3

<Client DEFAULT>
	Secret	xxxxxx
	DupInterval 0
</Client>

# define AuthBy clauses

<AuthBy FILE>
	Identifier CheckMACAddress
	Filename %D/addresses.mac
	AuthenticateAttribute Calling-Station-Id
</AuthBy>

<AuthBy LDAP2>
	Identifier CheckLDAP
	Host 		ren.chesterfield.mo.us
	AuthDN		cn=admin,o=coc
	AuthPassword	xxxxxxxxxx
	BaseDN		ou=Users,o=Private
	UsernameAttr 	cn
	ServerChecksPassword
	SearchFilter (&(cn=%1)(cocWLANAllowed=true))
#	Debug 255
</AuthBy>

# define Handlers

<Handler TunnelledByTTLS=1>
	AuthBy CheckMACAddress
</Handler>

<Handler>
	<AuthBy FILE>
		Filename /etc/radiator/users	
		EAPType TTLS
		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
		EAPTLS_CertificateFile
/etc/radiator/certificates/star_chesterfield_mo_us.crt
		EAPTLS_CertificateType PEM

		EAPTLS_PrivateKeyFile
/etc/radiator/certificates/digicert.pem
		EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
		EAPTLS_MaxFragmentSize 1000

		AutoMPPEKeys
	</AuthBy>
</Handler>


Please let me know how you get on.

There are other variations as well.

regards

Hugh


On 22 Jan 2005, at 03:05, Jim Michael wrote:

> Hi Hugh-
>
> Thanks for the info! However, I'm not quite sure where those fit in
> with my current config. I'm already doing an <AuthBy FILE> to handle 
> the
> TTLS "anonymous" user... do I add another Authby FILE clause, or add
> your code to my existing one, or? Here's my current config... any info
> on where the new code should go to handle mac filtering would be
> helpful!
>
> Jim
>
> AuthPort 1812
> AcctPort 1813
> Foreground
> LogStdout
> LogDir	/var/log/radius
> DbDir	/etc/radiator
> Trace 		3
>
> <Client DEFAULT>
> 	Secret	xxxxxx
> 	DupInterval 0
> </Client>
>
>
> <Handler TunnelledByTTLS=1>
>
> 	<AuthBy LDAP2>
> 		Host 		ren.chesterfield.mo.us
> 		AuthDN		cn=admin,o=coc
> 		AuthPassword	xxxxxxxxxx
> 		BaseDN		ou=Users,o=Private
> 		UsernameAttr 	cn
> 		ServerChecksPassword
> 		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> #		Debug 255
> 	</AuthBy>
> </Handler>
>
> <Handler>
> 	<AuthBy FILE>
> 		Filename /etc/radiator/users	
> 		EAPType TTLS
> 		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> 		EAPTLS_CertificateFile
> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> 		EAPTLS_CertificateType PEM
>
> 		EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/digicert.pem
> 		EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
> 		EAPTLS_MaxFragmentSize 1000
>
> 		AutoMPPEKeys
> 	</AuthBy>
> </Handler>
>
>
>>>> Hugh Irvine <hugh at open.com.au> 1/20/2005 9:43:26 PM >>>
>
> Hello Jim -
>
> You can use cascaded AuthBy clauses like this:
>
> # define AuthBy clauses
>
> <AuthBy FILE>
> 	Identifier CheckMACAddress
> 	Filename %D/addresses.mac
> 	AuthenticateAttribute Calling-Station-Id
> </AuthBy>
>
> <AuthBy LDAP2>
> 	Identifier CheckLDAP
> 	.....
> </AuthBy>
>
> .....
>
> #define Handlers
>
> <Handler ....>
> 	....
> 	AuthBy CheckMACAddress
> 	....
> </Handler>
>
>
> Then the file "addresses.mac" (in your DbDir directory) would contain
> something like this:
>
> # addresses.mac
>
> 1.1.1.1.1.1 Auth-Type = CheckLDAP
>
> 2.2.2.2.2.2 Auth-Type = CheckLDAP
>
> 3.3.3.3.3.3 Auth-Type = CheckLDAP
>
> .....
>
>
> The above assumes that the MAC address is in the Calling-Station-Id
> attribute in the incoming request.
>
> Also the addresses must be listed exactly as they appear in the
> incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC
> addresses).
>
> Please let me know how you get on.
>
> regards
>
> Hugh
>
>
>
>
> On 21 Jan 2005, at 07:41, Jim Michael wrote:
>
>> Ok, I'm getting close to my ideal solution with Radiator... have it
>> authenticating against our LDAP directory, etc. Now I want to add an
>> additional layer of security by having Radiator check the client's
> MAC
>> address against a list of allowed addresses. For now we have so few
>> wireless clients that its not necessary to do a database lookup...
>> Radiator simply checking a file on the system for allowed MAC
> addresses
>> would be fine, but I cannot figure out how to do this. What I want
> is
>>
>> 1) client tries to get on the WLAN and radiator checks the MAC
> against
>> a list
>> 2) If MAC is allowed, go ahead and do the LDAP authentication, if
> no,
>> dump 'em.
>>
>> Can anyone provide pointers to such a setup?
>>
>> Jim
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list