(RADIATOR) MAC address filtering?

Jim Michael JMichael at chesterfield.mo.us
Mon Jan 24 11:04:35 CST 2005


Hi Hugh... the config below does not work. When using it, on the console
I see

INFO: Access rejected for user jimm
INFO: Access rejected for user anonymous

It seems like the Authby LDAP2 section is never even being calledm and
instead its looking for user "jimm" in the file. Indeed, when I look at
the config, I don't see HOW LDAP2 gets called? Nothing in the rest of
the config file references "CheckLDAP", which is the identifier for that
authby clause. Your config seems to be saying "If the request is
tunnelled by TTLS, then do AuthBy CHeckMacAddress", which does not seem
correct. I need to do *Authby LDAP2* for the tunnelled request, and just
check the mac address separately, PRIOR to that.

Am I missing something obvious?

Jim

>>> Hugh Irvine <hugh at open.com.au> 1/21/2005 7:34:25 PM >>>

Hello Jim -

Something like this:


AuthPort 1812
AcctPort 1813
Foreground
LogStdout
LogDir	/var/log/radius
DbDir	/etc/radiator
Trace 		3

<Client DEFAULT>
	Secret	xxxxxx
	DupInterval 0
</Client>

# define AuthBy clauses

<AuthBy FILE>
	Identifier CheckMACAddress
	Filename %D/addresses.mac
	AuthenticateAttribute Calling-Station-Id
</AuthBy>

<AuthBy LDAP2>
	Identifier CheckLDAP
	Host 		ren.chesterfield.mo.us
	AuthDN		cn=admin,o=coc
	AuthPassword	xxxxxxxxxx
	BaseDN		ou=Users,o=Private
	UsernameAttr 	cn
	ServerChecksPassword
	SearchFilter (&(cn=%1)(cocWLANAllowed=true))
#	Debug 255
</AuthBy>

# define Handlers

<Handler TunnelledByTTLS=1>
	AuthBy CheckMACAddress
</Handler>

<Handler>
	<AuthBy FILE>
		Filename /etc/radiator/users	
		EAPType TTLS
		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
		EAPTLS_CertificateFile
/etc/radiator/certificates/star_chesterfield_mo_us.crt
		EAPTLS_CertificateType PEM

		EAPTLS_PrivateKeyFile
/etc/radiator/certificates/digicert.pem
		EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
		EAPTLS_MaxFragmentSize 1000

		AutoMPPEKeys
	</AuthBy>
</Handler>


Please let me know how you get on.

There are other variations as well.

regards

Hugh


On 22 Jan 2005, at 03:05, Jim Michael wrote:

> Hi Hugh-
>
> Thanks for the info! However, I'm not quite sure where those fit in
> with my current config. I'm already doing an <AuthBy FILE> to handle

> the
> TTLS "anonymous" user... do I add another Authby FILE clause, or add
> your code to my existing one, or? Here's my current config... any
info
> on where the new code should go to handle mac filtering would be
> helpful!
>
> Jim
>
> AuthPort 1812
> AcctPort 1813
> Foreground
> LogStdout
> LogDir	/var/log/radius
> DbDir	/etc/radiator
> Trace 		3
>
> <Client DEFAULT>
> 	Secret	xxxxxx
> 	DupInterval 0
> </Client>
>
>
> <Handler TunnelledByTTLS=1>
>
> 	<AuthBy LDAP2>
> 		Host 		ren.chesterfield.mo.us
> 		AuthDN		cn=admin,o=coc
> 		AuthPassword	xxxxxxxxxx
> 		BaseDN		ou=Users,o=Private
> 		UsernameAttr 	cn
> 		ServerChecksPassword
> 		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> #		Debug 255
> 	</AuthBy>
> </Handler>
>
> <Handler>
> 	<AuthBy FILE>
> 		Filename /etc/radiator/users	
> 		EAPType TTLS
> 		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> 		EAPTLS_CertificateFile
> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> 		EAPTLS_CertificateType PEM
>
> 		EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/digicert.pem
> 		EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
> 		EAPTLS_MaxFragmentSize 1000
>
> 		AutoMPPEKeys
> 	</AuthBy>
> </Handler>
>
>
>>>> Hugh Irvine <hugh at open.com.au> 1/20/2005 9:43:26 PM >>>
>
> Hello Jim -
>
> You can use cascaded AuthBy clauses like this:
>
> # define AuthBy clauses
>
> <AuthBy FILE>
> 	Identifier CheckMACAddress
> 	Filename %D/addresses.mac
> 	AuthenticateAttribute Calling-Station-Id
> </AuthBy>
>
> <AuthBy LDAP2>
> 	Identifier CheckLDAP
> 	.....
> </AuthBy>
>
> .....
>
> #define Handlers
>
> <Handler ....>
> 	....
> 	AuthBy CheckMACAddress
> 	....
> </Handler>
>
>
> Then the file "addresses.mac" (in your DbDir directory) would
contain
> something like this:
>
> # addresses.mac
>
> 1.1.1.1.1.1 Auth-Type = CheckLDAP
>
> 2.2.2.2.2.2 Auth-Type = CheckLDAP
>
> 3.3.3.3.3.3 Auth-Type = CheckLDAP
>
> .....
>
>
> The above assumes that the MAC address is in the Calling-Station-Id
> attribute in the incoming request.
>
> Also the addresses must be listed exactly as they appear in the
> incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC
> addresses).
>
> Please let me know how you get on.
>
> regards
>
> Hugh
>
>
>
>
> On 21 Jan 2005, at 07:41, Jim Michael wrote:
>
>> Ok, I'm getting close to my ideal solution with Radiator... have it
>> authenticating against our LDAP directory, etc. Now I want to add
an
>> additional layer of security by having Radiator check the client's
> MAC
>> address against a list of allowed addresses. For now we have so few
>> wireless clients that its not necessary to do a database lookup...
>> Radiator simply checking a file on the system for allowed MAC
> addresses
>> would be fine, but I cannot figure out how to do this. What I want
> is
>>
>> 1) client tries to get on the WLAN and radiator checks the MAC
> against
>> a list
>> 2) If MAC is allowed, go ahead and do the LDAP authentication, if
> no,
>> dump 'em.
>>
>> Can anyone provide pointers to such a setup?
>>
>> Jim
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/ 
>> Announcements on radiator-announce at open.com.au 
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database
independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like
systems.
>
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/ 
Announcements on radiator-announce at open.com.au 
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list