(RADIATOR) MAC address filtering?
Jose Borges Ferreira
underspell at gmail.com
Mon Jan 24 09:56:24 CST 2005
You can use something like this:
<AuthBy FILE># {{{ auth_file_blacklist
Identifier auth_file_blacklist
AcceptIfMissing
Filename %D/blacklist
</AuthBy>
# }}}
<j/>
On Mon, 24 Jan 2005 14:48:22 +0000, Nuno Rodrigues <nuno at ipb.pt> wrote:
>
> Hello,
>
> I need something like this, but with the following conditions:
>
> - The authentication is based on EAP/TTLS with LDAP directory (is
> working ok at this time).
> - Permit all MAC Addresses, by default
> - Deny only some MAC's (from the bad boys only :)
>
> Is this possible, without create a file with all MAC Addresses authorised?
>
> Thanks,
> Nuno.
>
> Hugh Irvine wrote:
>
> >
> > Hello Jim -
> >
> > Something like this:
> >
> >
> > AuthPort 1812
> > AcctPort 1813
> > Foreground
> > LogStdout
> > LogDir /var/log/radius
> > DbDir /etc/radiator
> > Trace 3
> >
> > <Client DEFAULT>
> > Secret xxxxxx
> > DupInterval 0
> > </Client>
> >
> > # define AuthBy clauses
> >
> > <AuthBy FILE>
> > Identifier CheckMACAddress
> > Filename %D/addresses.mac
> > AuthenticateAttribute Calling-Station-Id
> > </AuthBy>
> >
> > <AuthBy LDAP2>
> > Identifier CheckLDAP
> > Host ren.chesterfield.mo.us
> > AuthDN cn=admin,o=coc
> > AuthPassword xxxxxxxxxx
> > BaseDN ou=Users,o=Private
> > UsernameAttr cn
> > ServerChecksPassword
> > SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> > # Debug 255
> > </AuthBy>
> >
> > # define Handlers
> >
> > <Handler TunnelledByTTLS=1>
> > AuthBy CheckMACAddress
> > </Handler>
> >
> > <Handler>
> > <AuthBy FILE>
> > Filename /etc/radiator/users
> > EAPType TTLS
> > EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> > EAPTLS_CertificateFile
> > /etc/radiator/certificates/star_chesterfield_mo_us.crt
> > EAPTLS_CertificateType PEM
> >
> > EAPTLS_PrivateKeyFile
> > /etc/radiator/certificates/digicert.pem
> > EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
> > EAPTLS_MaxFragmentSize 1000
> >
> > AutoMPPEKeys
> > </AuthBy>
> > </Handler>
> >
> >
> > Please let me know how you get on.
> >
> > There are other variations as well.
> >
> > regards
> >
> > Hugh
> >
> >
> > On 22 Jan 2005, at 03:05, Jim Michael wrote:
> >
> >> Hi Hugh-
> >>
> >> Thanks for the info! However, I'm not quite sure where those fit in
> >> with my current config. I'm already doing an <AuthBy FILE> to handle the
> >> TTLS "anonymous" user... do I add another Authby FILE clause, or add
> >> your code to my existing one, or? Here's my current config... any info
> >> on where the new code should go to handle mac filtering would be
> >> helpful!
> >>
> >> Jim
> >>
> >> AuthPort 1812
> >> AcctPort 1813
> >> Foreground
> >> LogStdout
> >> LogDir /var/log/radius
> >> DbDir /etc/radiator
> >> Trace 3
> >>
> >> <Client DEFAULT>
> >> Secret xxxxxx
> >> DupInterval 0
> >> </Client>
> >>
> >>
> >> <Handler TunnelledByTTLS=1>
> >>
> >> <AuthBy LDAP2>
> >> Host ren.chesterfield.mo.us
> >> AuthDN cn=admin,o=coc
> >> AuthPassword xxxxxxxxxx
> >> BaseDN ou=Users,o=Private
> >> UsernameAttr cn
> >> ServerChecksPassword
> >> SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> >> # Debug 255
> >> </AuthBy>
> >> </Handler>
> >>
> >> <Handler>
> >> <AuthBy FILE>
> >> Filename /etc/radiator/users
> >> EAPType TTLS
> >> EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> >> EAPTLS_CertificateFile
> >> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> >> EAPTLS_CertificateType PEM
> >>
> >> EAPTLS_PrivateKeyFile
> >> /etc/radiator/certificates/digicert.pem
> >> EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
> >> EAPTLS_MaxFragmentSize 1000
> >>
> >> AutoMPPEKeys
> >> </AuthBy>
> >> </Handler>
> >>
> >>
> >>>>> Hugh Irvine <hugh at open.com.au> 1/20/2005 9:43:26 PM >>>
> >>>>
> >>
> >> Hello Jim -
> >>
> >> You can use cascaded AuthBy clauses like this:
> >>
> >> # define AuthBy clauses
> >>
> >> <AuthBy FILE>
> >> Identifier CheckMACAddress
> >> Filename %D/addresses.mac
> >> AuthenticateAttribute Calling-Station-Id
> >> </AuthBy>
> >>
> >> <AuthBy LDAP2>
> >> Identifier CheckLDAP
> >> .....
> >> </AuthBy>
> >>
> >> .....
> >>
> >> #define Handlers
> >>
> >> <Handler ....>
> >> ....
> >> AuthBy CheckMACAddress
> >> ....
> >> </Handler>
> >>
> >>
> >> Then the file "addresses.mac" (in your DbDir directory) would contain
> >> something like this:
> >>
> >> # addresses.mac
> >>
> >> 1.1.1.1.1.1 Auth-Type = CheckLDAP
> >>
> >> 2.2.2.2.2.2 Auth-Type = CheckLDAP
> >>
> >> 3.3.3.3.3.3 Auth-Type = CheckLDAP
> >>
> >> .....
> >>
> >>
> >> The above assumes that the MAC address is in the Calling-Station-Id
> >> attribute in the incoming request.
> >>
> >> Also the addresses must be listed exactly as they appear in the
> >> incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC
> >> addresses).
> >>
> >> Please let me know how you get on.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >>
> >>
> >> On 21 Jan 2005, at 07:41, Jim Michael wrote:
> >>
> >>> Ok, I'm getting close to my ideal solution with Radiator... have it
> >>> authenticating against our LDAP directory, etc. Now I want to add an
> >>> additional layer of security by having Radiator check the client's
> >>
> >> MAC
> >>
> >>> address against a list of allowed addresses. For now we have so few
> >>> wireless clients that its not necessary to do a database lookup...
> >>> Radiator simply checking a file on the system for allowed MAC
> >>
> >> addresses
> >>
> >>> would be fine, but I cannot figure out how to do this. What I want
> >>
> >> is
> >>
> >>>
> >>> 1) client tries to get on the WLAN and radiator checks the MAC
> >>
> >> against
> >>
> >>> a list
> >>> 2) If MAC is allowed, go ahead and do the LDAP authentication, if
> >>
> >> no,
> >>
> >>> dump 'em.
> >>>
> >>> Can anyone provide pointers to such a setup?
> >>>
> >>> Jim
> >>>
> >>>
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >> NB:
> >>
> >> Have you read the reference manual ("doc/ref.html")?
> >> Have you searched the mailing list archive
> >> (www.open.com.au/archives/radiator)?
> >> Have you had a quick look on Google (www.google.com)?
> >> Have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>
> >>
> >>
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
>
> --
> .................................................................
> Nuno Rodrigues : nuno at ipb.pt : http://www.ipb.pt/~nuno
> Eq. Assistente 2o Triénio : Dep. Informática e Comunicações : ESTiG/IPB
> Coordenador do Centro de Comunicações do IPB
> .................................................................
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list