(RADIATOR) Possible to have both MAC Address Authentication AND 802.1x (EAP-PEAP) at the same time?
Bon sy
bon at bunny.cs.qc.edu
Thu Jun 16 19:51:37 CDT 2005
Hi,
Would you mind to share the rationale behind autenticating via MAC
address and 802.1X? Coincidently, we deployed Proxim AP-200 and Radiator
as well, except we authenticate users via 802.1X EAP-TLS.
Suppose your EAP-PEAP enforces authentication via some sort of
password (token), it may make sense to introduce a two-factor
authentication since a user can literally share the password (token) with
someone else if this is the concern. However, cloning MAC address is not
difficult at all in both Windows and Linux. A student of mind find this
wonderful freeware in the Internet called ebtables
(http://ebtables.sourceforge.net/ ) that allows one to easily change the
MAC address. Having said, MAC address authentication does not really do
much to serve as the "second" factor for authentication.
But then there could be other business operational reason(s)
for that in your environment that I am totally unaware. Otherwise, using,
for example, voice/finger print may be a more worthwhile choice of the
second factor for authentication.
Bon
On Fri, 17 Jun 2005, Kheng Teong, Lim wrote:
> We are trying to setup authentication for a Local Wireless LAN using:
> - Radiator
> - Proxim AP-2000
>
> We want users to authenticate via MAC Address AND 802.1x (EAP-PEAP)
> encryption at the same time.
> ie: The user's notebook's wlan card must be authorized to connect to the
> AP-2000, followed with 802.1x. If either one fails, they don't get
> connectivity, they must pass both schemes.
> Is this situation possible?
>
> Currently, the user can fail the MAC address check but pass the 802.1x
> (EAP-PEAP) authentication/encryption and still have access to the network.
> In the sample users file below, the first line is for MAC address check
> (User-Password is the secret for Radiator)
>
> [sample users file]
> 00-02-2d-37-76-e1 User-Password="test123"
> wifi User-Password=wifi
> [/end]
>
> [sample radius.cfg file]
> # eap_peap.cfg
>
> LogStdout
> Trace 5
>
> AuthPort 1812
> AcctPort 1813
>
> BindAddress 192.168.1.11
>
> # User radiator
> # Group radiator
>
> LogDir /var/log/radius
> DbDir /etc/radiator
>
> <Client DEFAULT>
> Secret test123
> DupInterval 2
> </Client>
>
> <Handler TunnelledByPEAP=1>
> AcctLogFileName %L/detail
> <AuthBy FILE>
> Filename %D/users
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
> <Handler>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1024
>
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 0
> </AuthBy>
> </Handler>
> [/end]
>
> [sample logfile]
> Thu Jun 16 13:15:57 2005: DEBUG: Reading users file /etc/radiator/users
> Thu Jun 16 13:15:57 2005: DEBUG: Reading users file /etc/radiator/users
> Thu Jun 16 13:15:57 2005: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Thu Jun 16 13:15:57 2005: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary'
> Thu Jun 16 13:15:58 2005: DEBUG: Creating authentication port 0.0.0.0:1812
> Thu Jun 16 13:15:58 2005: DEBUG: Creating accounting port 0.0.0.0:1813
> Thu Jun 16 13:15:58 2005: NOTICE: Server started: Radiator 3.8 on AAAtlas
> Thu Jun 16 13:16:28 2005: DEBUG: Packet dump:
> *** Received from 192.168.51.30 port 6001 ....
>
> Packet length = 69
> 01 47 00 45 cd 34 00 00 36 36 00 00 07 3e 00 00
> d9 15 00 00 01 13 30 30 2d 30 32 2d 32 64 2d 33
> 37 2d 37 36 2d 65 30 02 12 61 45 dc e1 99 c8 10
> 98 af 85 7d 38 de 0c 08 a1 04 06 c0 a8 33 1e 05
> 06 00 00 00 00
> Code: Access-Request
> Identifier: 71
> Authentic: <205>4<0><0>66<0><0><7>><0><0><217><21><0><0>
> Attributes:
> User-Name = "00-02-2d-37-76-e0"
> User-Password =
> "aE<220><225><153><200><16><152><175><133>}8<222><12><8><161>"
> NAS-IP-Address = 192.168.51.30
> NAS-Port = 0
>
> Thu Jun 16 13:16:28 2005: DEBUG: Handling request with Handler ''
> Thu Jun 16 13:16:28 2005: DEBUG: Deleting session for 00-02-2d-37-76-e0,
> 192.168.51.30, 0
> Thu Jun 16 13:16:28 2005: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 16 13:16:28 2005: DEBUG: Radius::AuthFILE looks for match with
> 00-02-2d-37-76-e0
> Thu Jun 16 13:16:28 2005: INFO: Access rejected for 00-02-2d-37-76-e0: No
> such user
> Thu Jun 16 13:16:28 2005: DEBUG: Packet dump:
> *** Sending to 192.168.51.30 port 6001 ....
>
> Packet length = 36
> 03 47 00 24 68 20 6d 7c 01 b5 a1 1d 5b 99 c0 f2
> d4 13 2f d9 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code: Access-Reject
> Identifier: 71
> Authentic: <205>4<0><0>66<0><0><7>><0><0><217><21><0><0>
> Attributes:
> Reply-Message = "Request Denied"
>
> ~~~some parts snipped~~~
>
> Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
> *** Received from 192.168.51.30 port 6001 ....
>
> Packet length = 157
> 01 50 00 9d 59 38 00 00 7b 3b 00 00 03 3f 00 00
> e6 71 00 00 01 06 77 69 66 69 04 06 c0 a8 33 1e
> 1e 13 30 30 2d 32 30 2d 61 36 2d 34 39 2d 32 31
> 2d 35 38 1f 13 30 30 2d 30 32 2d 32 64 2d 33 37
> 2d 37 36 2d 65 30 20 1a 4f 52 69 4e 4f 43 4f 2d
> 41 50 2d 32 30 30 30 2d 34 39 2d 32 31 2d 35 38
> 0c 06 00 00 05 78 3d 06 00 00 00 13 4f 1f 02 0a
> 00 1d 19 00 17 03 01 00 12 f0 e0 c7 94 70 1f 60
> 1f cd fc 24 69 04 78 e7 bb 6f ee 50 12 fb 9a 0b
> 43 d7 b8 b0 96 d9 d1 82 ef 8b 48 f3 de
> Code: Access-Request
> Identifier: 80
> Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
> Attributes:
> User-Name = "wifi"
> NAS-IP-Address = 192.168.51.30
> Called-Station-Id = "00-20-a6-49-21-58"
> Calling-Station-Id = "00-02-2d-37-76-e0"
> NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message =
> <2><10><0><29><25><0><23><3><1><0><18><240><224><199><148>p<31>`<31><205><25
> 2>$i<4>x<231><187>o<238>
> Message-Authenticator =
> <251><154><11>C<215><184><176><150><217><209><130><239><139>H<243><222>
>
> Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler ''
> Thu Jun 16 13:16:30 2005: DEBUG: Deleting session for wifi, 192.168.51.30,
> Thu Jun 16 13:16:30 2005: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 10, 29
> Thu Jun 16 13:16:30 2005: DEBUG: Response type 25
> Thu Jun 16 13:16:30 2005: DEBUG: EAP PEAP inner authentication request for
> anonymous
> Thu Jun 16 13:16:30 2005: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <186><196><12><20><19><211>(m[B<170><23><14><216><226><140>
> Attributes:
> EAP-Message = <2><10><0><2><26><3>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = 192.168.51.30
> NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
> Calling-Station-Id = "00-02-2d-37-76-e0"
>
> Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Thu Jun 16 13:16:30 2005: DEBUG: Deleting session for , 192.168.51.30,
> Thu Jun 16 13:16:30 2005: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 10, 2
> Thu Jun 16 13:16:30 2005: DEBUG: Response type 26
> Thu Jun 16 13:16:30 2005: DEBUG: EAP result: 0,
> Thu Jun 16 13:16:30 2005: DEBUG: Access accepted for anonymous
> Thu Jun 16 13:16:30 2005: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Thu Jun 16 13:16:30 2005: DEBUG: Access challenged for wifi: EAP PEAP inner
> authentication redespatched to a Handler
> Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
> *** Sending to 192.168.51.30 port 6001 ....
>
> Packet length = 78
> 0b 50 00 4e 89 27 13 11 5a 52 f1 4a 15 09 3e b4
> 3f 33 37 d0 4f 28 01 0b 00 26 19 00 17 03 01 00
> 1b fd fd 64 3a 50 58 2f 02 72 9c 42 f8 84 34 2f
> 70 2b f0 8f 0d f5 7b fd ec 31 bd 75 50 12 b5 1c
> 93 af 20 42 da 4f 9f 38 e2 9a c0 be 2e 0f
> Code: Access-Challenge
> Identifier: 80
> Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
> Attributes:
> EAP-Message =
> <1><11><0>&<25><0><23><3><1><0><27><253><253>d:PX/<2>r<156>B<248><132>4/p+<2
> 40><143><13><245>{<253><236>1<189>u
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
> *** Received from 192.168.51.30 port 6001 ....
>
> Packet length = 166
> 01 51 00 a6 59 38 00 00 7b 3b 00 00 03 3f 00 00
> e6 71 00 00 01 06 77 69 66 69 04 06 c0 a8 33 1e
> 1e 13 30 30 2d 32 30 2d 61 36 2d 34 39 2d 32 31
> 2d 35 38 1f 13 30 30 2d 30 32 2d 32 64 2d 33 37
> 2d 37 36 2d 65 30 20 1a 4f 52 69 4e 4f 43 4f 2d
> 41 50 2d 32 30 30 30 2d 34 39 2d 32 31 2d 35 38
> 0c 06 00 00 05 78 3d 06 00 00 00 13 4f 28 02 0b
> 00 26 19 00 17 03 01 00 1b 51 46 68 8d fb f7 be
> 7b 40 4a dc e3 9f 8f b0 f4 02 b6 63 02 55 00 b3
> 78 71 02 f4 50 12 96 c3 74 90 2d b5 e1 b3 80 b3
> 9f 5c 56 7b 0a fa
> Code: Access-Request
> Identifier: 81
> Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
> Attributes:
> User-Name = "wifi"
> NAS-IP-Address = 192.168.51.30
> Called-Station-Id = "00-20-a6-49-21-58"
> Calling-Station-Id = "00-02-2d-37-76-e0"
> NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message =
> <2><11><0>&<25><0><23><3><1><0><27>QFh<141><251><247><190>{@J<220><227><159>
> <143><176><244><2><182>c<2>U<0><179>xq<2><244>
> Message-Authenticator =
> <150><195>t<144>-<181><225><179><128><179><159>\V{<10><250>
>
> Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler ''
> Thu Jun 16 13:16:30 2005: DEBUG: Deleting session for wifi, 192.168.51.30,
> Thu Jun 16 13:16:30 2005: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 11, 38
> Thu Jun 16 13:16:30 2005: DEBUG: Response type 25
> Thu Jun 16 13:16:30 2005: DEBUG: EAP result: 0,
> Thu Jun 16 13:16:30 2005: DEBUG: Access accepted for wifi
> Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
> *** Sending to 192.168.51.30 port 6001 ....
>
> Packet length = 160
> 02 51 00 a0 eb bd e9 e4 20 93 07 7a 8f 78 69 a2
> 4f 4a 6b d0 4f 06 03 0b 00 04 50 12 3a 1c a6 3b
> 3b 0e f4 5d 40 c8 7b 62 3d 83 91 c1 1a 3a 00 00
> 01 37 10 34 a7 dc e4 91 cc d0 9c d9 75 bf 2c 70
> ef 4c 0b 2d 73 86 bf 2c dc e3 23 d3 22 e6 d5 d5
> e4 47 7a bc a7 15 46 1c c9 92 62 70 bd f6 b7 af
> 25 0b 36 66 1d 66 1a 3a 00 00 01 37 11 34 a5 af
> 7a e8 0a ed d5 08 c8 70 71 7b 68 d6 56 1f 81 f6
> e6 78 1b 76 8e 48 83 a7 85 8e bf 02 11 74 e5 a1
> ba b3 e3 2f d7 33 b1 0f 2b 79 08 0b a0 2f 7e b2
> Code: Access-Accept
> Identifier: 81
> Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
> Attributes:
> EAP-Message = <3><11><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> MS-MPPE-Send-Key =
> "<167><220><228><145><204><208><156><217>u<191>,p<239>L<11>-s<134><191>,<220
> ><227>#<211>"<230><213><213><228>Gz<188><167><21>F<28><201><146>bp<189><246>
> <183><175>%<11>6f$
> MS-MPPE-Recv-Key =
> "<165><175>z<232><10><237><213><8><200>pq{h<214>V<31><129><246><230>x<27>v<1
> 42>H<131><167><133><142><191><2><17>t<229><161><186><179><227>/<215>3<177><1
> 5>+y<8><11><160>/$
> [/end]
>
> Thanks in advance.
>
> --
> Warm Regards,
> Kheng Teong, Lim
>
> Chief Information Officer
> UberFusion Sdn. Bhd.
> -----------------------------------------------------------
> UberFusion Sdn. Bhd.
> No. 119, (3rd Floor) Jalan SS6/12,
> Kelana Jaya Urban Centre,
> 47301 Petaling Jaya,
> Selangor Darul Ehsan, MALAYSIA.
> Tel: 03-7880 6580 / Fax: 03-7880 6590
> http://www.uberfusion.com <http://www.uberfusion.com/>
> ------------------------------------------------------------
>
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list