(RADIATOR) MAC address filtering?
Hugh Irvine
hugh at open.com.au
Mon Jan 24 16:08:03 CST 2005
Hello Jim -
As mentioned in my previous mail (shown below) the contents of the file
used for the AuthBy FILE reference the AuthBy LDAP2 clause.
>>
>> Then the file "addresses.mac" (in your DbDir directory) would
> contain
>> something like this:
>>
>> # addresses.mac
>>
>> 1.1.1.1.1.1 Auth-Type = CheckLDAP
>>
>> 2.2.2.2.2.2 Auth-Type = CheckLDAP
>>
>> 3.3.3.3.3.3 Auth-Type = CheckLDAP
>>
>> .....
>>
>>
>> The above assumes that the MAC address is in the Calling-Station-Id
>> attribute in the incoming request.
>>
>> Also the addresses must be listed exactly as they appear in the
>> incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC
>> addresses).
BTW - when you are having problems it is much easier for me to see what
is going on if you send me a copy of the configuration file (no
secrets) together with a trace 4 debug showing what is happening.
regards
Hugh
On 25 Jan 2005, at 04:04, Jim Michael wrote:
> Hi Hugh... the config below does not work. When using it, on the
> console
> I see
>
> INFO: Access rejected for user jimm
> INFO: Access rejected for user anonymous
>
> It seems like the Authby LDAP2 section is never even being calledm and
> instead its looking for user "jimm" in the file. Indeed, when I look at
> the config, I don't see HOW LDAP2 gets called? Nothing in the rest of
> the config file references "CheckLDAP", which is the identifier for
> that
> authby clause. Your config seems to be saying "If the request is
> tunnelled by TTLS, then do AuthBy CHeckMacAddress", which does not seem
> correct. I need to do *Authby LDAP2* for the tunnelled request, and
> just
> check the mac address separately, PRIOR to that.
>
> Am I missing something obvious?
>
> Jim
>
>>>> Hugh Irvine <hugh at open.com.au> 1/21/2005 7:34:25 PM >>>
>
> Hello Jim -
>
> Something like this:
>
>
> AuthPort 1812
> AcctPort 1813
> Foreground
> LogStdout
> LogDir /var/log/radius
> DbDir /etc/radiator
> Trace 3
>
> <Client DEFAULT>
> Secret xxxxxx
> DupInterval 0
> </Client>
>
> # define AuthBy clauses
>
> <AuthBy FILE>
> Identifier CheckMACAddress
> Filename %D/addresses.mac
> AuthenticateAttribute Calling-Station-Id
> </AuthBy>
>
> <AuthBy LDAP2>
> Identifier CheckLDAP
> Host ren.chesterfield.mo.us
> AuthDN cn=admin,o=coc
> AuthPassword xxxxxxxxxx
> BaseDN ou=Users,o=Private
> UsernameAttr cn
> ServerChecksPassword
> SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> # Debug 255
> </AuthBy>
>
> # define Handlers
>
> <Handler TunnelledByTTLS=1>
> AuthBy CheckMACAddress
> </Handler>
>
> <Handler>
> <AuthBy FILE>
> Filename /etc/radiator/users
> EAPType TTLS
> EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> EAPTLS_CertificateFile
> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/digicert.pem
> EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
> EAPTLS_MaxFragmentSize 1000
>
> AutoMPPEKeys
> </AuthBy>
> </Handler>
>
>
> Please let me know how you get on.
>
> There are other variations as well.
>
> regards
>
> Hugh
>
>
> On 22 Jan 2005, at 03:05, Jim Michael wrote:
>
>> Hi Hugh-
>>
>> Thanks for the info! However, I'm not quite sure where those fit in
>> with my current config. I'm already doing an <AuthBy FILE> to handle
>
>> the
>> TTLS "anonymous" user... do I add another Authby FILE clause, or add
>> your code to my existing one, or? Here's my current config... any
> info
>> on where the new code should go to handle mac filtering would be
>> helpful!
>>
>> Jim
>>
>> AuthPort 1812
>> AcctPort 1813
>> Foreground
>> LogStdout
>> LogDir /var/log/radius
>> DbDir /etc/radiator
>> Trace 3
>>
>> <Client DEFAULT>
>> Secret xxxxxx
>> DupInterval 0
>> </Client>
>>
>>
>> <Handler TunnelledByTTLS=1>
>>
>> <AuthBy LDAP2>
>> Host ren.chesterfield.mo.us
>> AuthDN cn=admin,o=coc
>> AuthPassword xxxxxxxxxx
>> BaseDN ou=Users,o=Private
>> UsernameAttr cn
>> ServerChecksPassword
>> SearchFilter (&(cn=%1)(cocWLANAllowed=true))
>> # Debug 255
>> </AuthBy>
>> </Handler>
>>
>> <Handler>
>> <AuthBy FILE>
>> Filename /etc/radiator/users
>> EAPType TTLS
>> EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
>> EAPTLS_CertificateFile
>> /etc/radiator/certificates/star_chesterfield_mo_us.crt
>> EAPTLS_CertificateType PEM
>>
>> EAPTLS_PrivateKeyFile
>> /etc/radiator/certificates/digicert.pem
>> EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxxxxxxx
>> EAPTLS_MaxFragmentSize 1000
>>
>> AutoMPPEKeys
>> </AuthBy>
>> </Handler>
>>
>>
>>>>> Hugh Irvine <hugh at open.com.au> 1/20/2005 9:43:26 PM >>>
>>
>> Hello Jim -
>>
>> You can use cascaded AuthBy clauses like this:
>>
>> # define AuthBy clauses
>>
>> <AuthBy FILE>
>> Identifier CheckMACAddress
>> Filename %D/addresses.mac
>> AuthenticateAttribute Calling-Station-Id
>> </AuthBy>
>>
>> <AuthBy LDAP2>
>> Identifier CheckLDAP
>> .....
>> </AuthBy>
>>
>> .....
>>
>> #define Handlers
>>
>> <Handler ....>
>> ....
>> AuthBy CheckMACAddress
>> ....
>> </Handler>
>>
>>
>> Then the file "addresses.mac" (in your DbDir directory) would
> contain
>> something like this:
>>
>> # addresses.mac
>>
>> 1.1.1.1.1.1 Auth-Type = CheckLDAP
>>
>> 2.2.2.2.2.2 Auth-Type = CheckLDAP
>>
>> 3.3.3.3.3.3 Auth-Type = CheckLDAP
>>
>> .....
>>
>>
>> The above assumes that the MAC address is in the Calling-Station-Id
>> attribute in the incoming request.
>>
>> Also the addresses must be listed exactly as they appear in the
>> incoming requests (ie. replace "1.1.1.1.1.1" etc. with the real MAC
>> addresses).
>>
>> Please let me know how you get on.
>>
>> regards
>>
>> Hugh
>>
>>
>>
>>
>> On 21 Jan 2005, at 07:41, Jim Michael wrote:
>>
>>> Ok, I'm getting close to my ideal solution with Radiator... have it
>>> authenticating against our LDAP directory, etc. Now I want to add
> an
>>> additional layer of security by having Radiator check the client's
>> MAC
>>> address against a list of allowed addresses. For now we have so few
>>> wireless clients that its not necessary to do a database lookup...
>>> Radiator simply checking a file on the system for allowed MAC
>> addresses
>>> would be fine, but I cannot figure out how to do this. What I want
>> is
>>>
>>> 1) client tries to get on the WLAN and radiator checks the MAC
>> against
>>> a list
>>> 2) If MAC is allowed, go ahead and do the LDAP authentication, if
>> no,
>>> dump 'em.
>>>
>>> Can anyone provide pointers to such a setup?
>>>
>>> Jim
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database
> independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like
> systems.
>>
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list