(RADIATOR) MAC address filtering?

Nuno Rodrigues nuno at ipb.pt
Mon Jan 24 08:48:22 CST 2005 

Hello,

I need something like this, but with the following conditions:

- The authentication is based on EAP/TTLS with LDAP directory (is 
working ok at this time).
- Permit all MAC Addresses, by default
- Deny only some MAC's (from the bad boys only :)

Is this possible, without create a file with all MAC Addresses authorised?

Thanks,
Nuno.

Hugh Irvine wrote:

>
> Hello Jim -
>
> Something like this:
>
>
> AuthPort 1812
> AcctPort 1813
> Foreground
> LogStdout
> LogDir    /var/log/radius
> DbDir    /etc/radiator
> Trace         3
>
> <Client DEFAULT>
>     Secret    xxxxxx
>     DupInterval 0
> </Client>
>
> # define AuthBy clauses
>
> <AuthBy FILE>
>     Identifier CheckMACAddress
>     Filename %D/addresses.mac
>     AuthenticateAttribute Calling-Station-Id
> </AuthBy>
>
> <AuthBy LDAP2>
>     Identifier CheckLDAP
>     Host         ren.chesterfield.mo.us
>     AuthDN        cn=admin,o=coc
>     AuthPassword    xxxxxxxxxx
>     BaseDN        ou=Users,o=Private
>     UsernameAttr     cn
>     ServerChecksPassword
>     SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> #    Debug 255
> </AuthBy>
>
> # define Handlers
>
> <Handler TunnelledByTTLS=1>
>     AuthBy CheckMACAddress
> </Handler>
>
> <Handler>
>     <AuthBy FILE>
>         Filename /etc/radiator/users   
>         EAPType TTLS
>         EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
>         EAPTLS_CertificateFile
> /etc/radiator/certificates/star_chesterfield_mo_us.crt
>         EAPTLS_CertificateType PEM
>
>         EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/digicert.pem
>         EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
>         EAPTLS_MaxFragmentSize 1000
>
>         AutoMPPEKeys
>     </AuthBy>
> </Handler>
>
>
> Please let me know how you get on.
>
> There are other variations as well.
>
> regards
>
> Hugh
>
>
> On 22 Jan 2005, at 03:05, Jim Michael wrote:
>
>> Hi Hugh-
>>
>> Thanks for the info! However, I'm not quite sure where those fit in
>> with my current config. I'm already doing an <AuthBy FILE> to handle the
>> TTLS "anonymous" user... do I add another Authby FILE clause, or add
>> your code to my existing one, or? Here's my current config... any info
>> on where the new code should go to handle mac filtering would be
>> helpful!
>>
>> Jim
>>
>> AuthPort 1812
>> AcctPort 1813
>> Foreground
>> LogStdout
>> LogDir    /var/log/radius
>> DbDir    /etc/radiator
>> Trace         3
>>
>> <Client DEFAULT>
>>     Secret    xxxxxx
>>     DupInterval 0
>> </Client>
>>
>>
>> <Handler TunnelledByTTLS=1>
>>
>>     <AuthBy LDAP2>
>>         Host         ren.chesterfield.mo.us
>>         AuthDN        cn=admin,o=coc
>>         AuthPassword    xxxxxxxxxx
>>         BaseDN        ou=Users,o=Private
>>         UsernameAttr     cn
>>         ServerChecksPassword
>>         SearchFilter (&(cn=%1)(cocWLANAllowed=true))
>> #        Debug 255
>>     </AuthBy>
>> </Handler>
>>
>> <Handler>
>>     <AuthBy FILE>
>>         Filename /etc/radiator/users   
>>         EAPType TTLS
>>         EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
>>         EAPTLS_CertificateFile
>> /etc/radiator/certificates/star_chesterfield_mo_us.crt
>>         EAPTLS_CertificateType PEM
>>
>>         EAPTLS_PrivateKeyFile
>> /etc/radiator/certificates/digicert.pem
>>         EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
>>         EAPTLS_MaxFragmentSize 1000
>>
>>         AutoMPPEKeys
>>     </AuthBy>
>> </Handler>
>>
>>
>>>>> Hugh Irvine <hugh at open.com.au> 1/20/2005 9:43:26 PM >>>
>>>>
>>
>> Hello Jim -
>>
>> You can use cascaded AuthBy clauses like this:
>>
>> # define AuthBy clauses
>>
>> <AuthBy FILE>
>>     Identifier CheckMACAddress
>>     Filename %D/addresses.mac
>>     AuthenticateAttribute Calling-Station-Id
>> </AuthBy>
>>
>> <AuthBy LDAP2>
>>     Identifier CheckLDAP
>>     .....
>> </AuthBy>
>>
>> .....
>>
>> #define Handlers
>>
>> <Handler ....>
>>     ....
>>     AuthBy CheckMACAddress
>>     ....
>> </Handler>
>>
>>
>> Then the file "addresses.mac" (in your DbDir directory) would contain
>> something like this:
>>
>> # addresses.mac
>>
>> 1.1.1.1.1.1 Auth-Type = CheckLDAP
>>
>> 2.2.2.2.2.2 Auth-Type = CheckLDAP
>>
>> 3.3.3.3.3.3 Auth-Type = CheckLDAP
>>
>> .....
>>
>>
>> The above assumes that the MAC address is in the Calling-Station-Id
>> attribute in the incoming request.
>>
>> Also the addresses must be listed exactly as they appear in the
>> incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC
>> addresses).
>>
>> Please let me know how you get on.
>>
>> regards
>>
>> Hugh
>>
>>
>>
>>
>> On 21 Jan 2005, at 07:41, Jim Michael wrote:
>>
>>> Ok, I'm getting close to my ideal solution with Radiator... have it
>>> authenticating against our LDAP directory, etc. Now I want to add an
>>> additional layer of security by having Radiator check the client's
>>
>> MAC
>>
>>> address against a list of allowed addresses. For now we have so few
>>> wireless clients that its not necessary to do a database lookup...
>>> Radiator simply checking a file on the system for allowed MAC
>>
>> addresses
>>
>>> would be fine, but I cannot figure out how to do this. What I want
>>
>> is
>>
>>>
>>> 1) client tries to get on the WLAN and radiator checks the MAC
>>
>> against
>>
>>> a list
>>> 2) If MAC is allowed, go ahead and do the LDAP authentication, if
>>
>> no,
>>
>>> dump 'em.
>>>
>>> Can anyone provide pointers to such a setup?
>>>
>>> Jim
>>>
>>>
>>> -- 
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>


-- 
.................................................................
 Nuno Rodrigues : nuno at ipb.pt : http://www.ipb.pt/~nuno
 Eq. Assistente 2o Triénio : Dep. Informática e Comunicações : ESTiG/IPB
 Coordenador do Centro de Comunicações do IPB
.................................................................

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list