(RADIATOR) Possible to have both MAC Address Authentication AND 802.1x (EAP-PEAP) at the same time?

Kheng Teong, Lim ktlim at uberfusion.com
Thu Jun 16 22:03:58 CDT 2005


Thanks for your reply.

The Local Wireless LAN was previously secured using:
- MAC Address lockdown on the AP-2000's itself (quite a few units, so manual
task)
- 128-bit WEP Encryption

We're now migrating to a centralized solution using Radiator, therefore:
- MAC Address lockdown on the AP-2000 via centralized RADIUS AAA (insert
entries once only)
- 802.1x (EAP-PEAP) using Windows XP SP1+ supplicants (centralized server
certificate, only requires username/password on client side)

I agree, MAC address can be easily spoofed, but it does provide an
additional albeit weak layer of security. But nonetheless, it is another
layer :-)
We couple this with 802.1x (EAP-PEAP) which replaces static WEP and its
definitely more secure than the previous environment.

We script the front-end in such a way, when a user account is created, it
does the following:
1) it enters the MAC Address into the MySQL table for RADIUS authentication
(AP-2000 RADIUS MAC authentication)
2) it enters the username/password into the MySQL table for 802.1x
authentication/encryption (AP-2000 802.1x TKIP)
3) it enters the MAC Address into a DHCPD config file for static IP address
assignment

Still open to suggestions on how to have both MAC Address Authentication AND
802.1x (EAP-PEAP) at the same time?

Thanks all.

--
Warm Regards,
Kheng Teong, Lim
 
Chief Information Officer
UberFusion Sdn. Bhd.
-----------------------------------------------------------
UberFusion Sdn. Bhd.
No. 119, (3rd Floor) Jalan SS6/12,
Kelana Jaya Urban Centre,
47301 Petaling Jaya,
Selangor Darul Ehsan, MALAYSIA.
Tel: 03-7880 6580 / Fax: 03-7880 6590
http://www.uberfusion.com
------------------------------------------------------------

-----Original Message-----
From: Bon sy [mailto:bon at bunny.cs.qc.edu] 
Sent: Friday, June 17, 2005 8:52 AM
To: Kheng Teong, Lim
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Possible to have both MAC Address Authentication AND
802.1x (EAP-PEAP) at the same time?

Hi,
	Would you mind to share the rationale behind autenticating via MAC
address and 802.1X? Coincidently, we deployed Proxim AP-200 and Radiator as
well, except we authenticate users via 802.1X EAP-TLS. 

	Suppose your EAP-PEAP enforces authentication via some sort of
password (token), it may make sense to introduce a two-factor authentication
since a user can literally share the password (token) with someone else if
this is the concern. However, cloning MAC address is not difficult at all in
both Windows and Linux. A student of mind find this wonderful freeware in
the Internet called ebtables (http://ebtables.sourceforge.net/ ) that allows
one to easily change the MAC address. Having said, MAC address
authentication does not really do much to serve as the "second" factor for
authentication. 

	But then there could be other business operational reason(s) for
that in your environment that I am totally unaware. Otherwise, using, for
example, voice/finger print may be a more worthwhile choice of the second
factor for authentication.

Bon



On Fri, 17 Jun 2005, Kheng Teong, Lim wrote:

> We are trying to setup authentication for a Local Wireless LAN using:
> - Radiator
> - Proxim AP-2000
>  
> We want users to authenticate via MAC Address AND 802.1x (EAP-PEAP) 
> encryption at the same time.
> ie: The user's notebook's wlan card must be authorized to connect to 
> the AP-2000, followed with 802.1x. If either one fails, they don't get 
> connectivity, they must pass both schemes.
> Is this situation possible?
>  
> Currently, the user can fail the MAC address check but pass the 802.1x
> (EAP-PEAP) authentication/encryption and still have access to the network.
> In the sample users file below, the first line is for MAC address 
> check (User-Password is the secret for Radiator)
>  
> [sample users file]
> 00-02-2d-37-76-e1    User-Password="test123"
> wifi                         User-Password=wifi
> [/end]
>  
> [sample radius.cfg file]
> # eap_peap.cfg
>  
> LogStdout
> Trace           5
>  
> AuthPort      1812
> AcctPort      1813
>  
> BindAddress   192.168.1.11
>  
> # User          radiator
> # Group         radiator
>  
> LogDir          /var/log/radius
> DbDir           /etc/radiator
>  
> <Client DEFAULT>
>         Secret  test123
>         DupInterval 2
> </Client>
>  
> <Handler TunnelledByPEAP=1>
>         AcctLogFileName %L/detail
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType MSCHAP-V2
>         </AuthBy>
> </Handler>
>  
> <Handler>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP
>                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>                 EAPTLS_PrivateKeyPassword whatever
>                 EAPTLS_MaxFragmentSize 1024
>  
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 0
>         </AuthBy>
> </Handler>
> [/end]
>  
> [sample logfile]
> Thu Jun 16 13:15:57 2005: DEBUG: Reading users file 
> /etc/radiator/users Thu Jun 16 13:15:57 2005: DEBUG: Reading users 
> file /etc/radiator/users Thu Jun 16 13:15:57 2005: DEBUG: Finished 
> reading configuration file '/etc/radiator/radius.cfg'
> Thu Jun 16 13:15:57 2005: DEBUG: Reading dictionary file 
> '/etc/radiator/dictionary'
> Thu Jun 16 13:15:58 2005: DEBUG: Creating authentication port 
> 0.0.0.0:1812 Thu Jun 16 13:15:58 2005: DEBUG: Creating accounting port 
> 0.0.0.0:1813 Thu Jun 16 13:15:58 2005: NOTICE: Server started: 
> Radiator 3.8 on AAAtlas Thu Jun 16 13:16:28 2005: DEBUG: Packet dump:
> *** Received from 192.168.51.30 port 6001 ....
>  
> Packet length = 69
> 01 47 00 45 cd 34 00 00 36 36 00 00 07 3e 00 00
> d9 15 00 00 01 13 30 30 2d 30 32 2d 32 64 2d 33
> 37 2d 37 36 2d 65 30 02 12 61 45 dc e1 99 c8 10
> 98 af 85 7d 38 de 0c 08 a1 04 06 c0 a8 33 1e 05
> 06 00 00 00 00
> Code:       Access-Request
> Identifier: 71
> Authentic:  <205>4<0><0>66<0><0><7>><0><0><217><21><0><0>
> Attributes:
>         User-Name = "00-02-2d-37-76-e0"
>         User-Password =
> "aE<220><225><153><200><16><152><175><133>}8<222><12><8><161>"
>         NAS-IP-Address = 192.168.51.30
>         NAS-Port = 0
>  
> Thu Jun 16 13:16:28 2005: DEBUG: Handling request with Handler ''
> Thu Jun 16 13:16:28 2005: DEBUG:  Deleting session for 
> 00-02-2d-37-76-e0, 192.168.51.30, 0 Thu Jun 16 13:16:28 2005: DEBUG: 
> Handling with Radius::AuthFILE:
> Thu Jun 16 13:16:28 2005: DEBUG: Radius::AuthFILE looks for match with 
> 00-02-2d-37-76-e0 Thu Jun 16 13:16:28 2005: INFO: Access rejected for 
> 00-02-2d-37-76-e0: No such user Thu Jun 16 13:16:28 2005: DEBUG: 
> Packet dump:
> *** Sending to 192.168.51.30 port 6001 ....
>  
> Packet length = 36
> 03 47 00 24 68 20 6d 7c 01 b5 a1 1d 5b 99 c0 f2
> d4 13 2f d9 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64
> Code:       Access-Reject
> Identifier: 71
> Authentic:  <205>4<0><0>66<0><0><7>><0><0><217><21><0><0>
> Attributes:
>         Reply-Message = "Request Denied"
>  
> ~~~some parts snipped~~~
>  
> Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
> *** Received from 192.168.51.30 port 6001 ....
>  
> Packet length = 157
> 01 50 00 9d 59 38 00 00 7b 3b 00 00 03 3f 00 00
> e6 71 00 00 01 06 77 69 66 69 04 06 c0 a8 33 1e 1e 13 30 30 2d 32 30 
> 2d 61 36 2d 34 39 2d 32 31 2d 35 38 1f 13 30 30 2d 30 32 2d 32 64 2d 
> 33 37 2d 37 36 2d 65 30 20 1a 4f 52 69 4e 4f 43 4f 2d
> 41 50 2d 32 30 30 30 2d 34 39 2d 32 31 2d 35 38 0c 06 00 00 05 78 3d 
> 06 00 00 00 13 4f 1f 02 0a 00 1d 19 00 17 03 01 00 12 f0 e0 c7 94 70 
> 1f 60 1f cd fc 24 69 04 78 e7 bb 6f ee 50 12 fb 9a 0b
> 43 d7 b8 b0 96 d9 d1 82 ef 8b 48 f3 de
> Code:       Access-Request
> Identifier: 80
> Authentic:  Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
> Attributes:
>         User-Name = "wifi"
>         NAS-IP-Address = 192.168.51.30
>         Called-Station-Id = "00-20-a6-49-21-58"
>         Calling-Station-Id = "00-02-2d-37-76-e0"
>         NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         EAP-Message =
> <2><10><0><29><25><0><23><3><1><0><18><240><224><199><148>p<31>`<31><2
> 05><25
> 2>$i<4>x<231><187>o<238>
>         Message-Authenticator =
> <251><154><11>C<215><184><176><150><217><209><130><239><139>H<243><222
> >
>  
> Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler ''
> Thu Jun 16 13:16:30 2005: DEBUG:  Deleting session for wifi, 
> 192.168.51.30, Thu Jun 16 13:16:30 2005: DEBUG: Handling with
Radius::AuthFILE:
> Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 10, 29 Thu 
> Jun 16 13:16:30 2005: DEBUG: Response type 25 Thu Jun 16 13:16:30 
> 2005: DEBUG: EAP PEAP inner authentication request for anonymous Thu 
> Jun 16 13:16:30 2005: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  
> <186><196><12><20><19><211>(m[B<170><23><14><216><226><140>
> Attributes:
>         EAP-Message = <2><10><0><2><26><3>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         User-Name = "anonymous"
>         NAS-IP-Address = 192.168.51.30
>         NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
>         Calling-Station-Id = "00-02-2d-37-76-e0"
>  
> Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler 
> 'TunnelledByPEAP=1'
> Thu Jun 16 13:16:30 2005: DEBUG:  Deleting session for , 
> 192.168.51.30, Thu Jun 16 13:16:30 2005: DEBUG: Handling with
Radius::AuthFILE:
> Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 10, 2 Thu 
> Jun 16 13:16:30 2005: DEBUG: Response type 26 Thu Jun 16 13:16:30 
> 2005: DEBUG: EAP result: 0, Thu Jun 16 13:16:30 2005: DEBUG: Access 
> accepted for anonymous Thu Jun 16 13:16:30 2005: DEBUG: EAP result: 3, 
> EAP PEAP inner authentication redespatched to a Handler Thu Jun 16 
> 13:16:30 2005: DEBUG: Access challenged for wifi: EAP PEAP inner 
> authentication redespatched to a Handler Thu Jun 16 13:16:30 2005: 
> DEBUG: Packet dump:
> *** Sending to 192.168.51.30 port 6001 ....
>  
> Packet length = 78
> 0b 50 00 4e 89 27 13 11 5a 52 f1 4a 15 09 3e b4 3f 33 37 d0 4f 28 01 
> 0b 00 26 19 00 17 03 01 00 1b fd fd 64 3a 50 58 2f 02 72 9c 42 f8 84 
> 34 2f 70 2b f0 8f 0d f5 7b fd ec 31 bd 75 50 12 b5 1c
> 93 af 20 42 da 4f 9f 38 e2 9a c0 be 2e 0f
> Code:       Access-Challenge
> Identifier: 80
> Authentic:  Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
> Attributes:
>         EAP-Message =
> <1><11><0>&<25><0><23><3><1><0><27><253><253>d:PX/<2>r<156>B<248><132>
> 4/p+<2
> 40><143><13><245>{<253><236>1<189>u
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  
> Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
> *** Received from 192.168.51.30 port 6001 ....
>  
> Packet length = 166
> 01 51 00 a6 59 38 00 00 7b 3b 00 00 03 3f 00 00
> e6 71 00 00 01 06 77 69 66 69 04 06 c0 a8 33 1e 1e 13 30 30 2d 32 30 
> 2d 61 36 2d 34 39 2d 32 31 2d 35 38 1f 13 30 30 2d 30 32 2d 32 64 2d 
> 33 37 2d 37 36 2d 65 30 20 1a 4f 52 69 4e 4f 43 4f 2d
> 41 50 2d 32 30 30 30 2d 34 39 2d 32 31 2d 35 38 0c 06 00 00 05 78 3d 
> 06 00 00 00 13 4f 28 02 0b 00 26 19 00 17 03 01 00 1b 51 46 68 8d fb 
> f7 be 7b 40 4a dc e3 9f 8f b0 f4 02 b6 63 02 55 00 b3
> 78 71 02 f4 50 12 96 c3 74 90 2d b5 e1 b3 80 b3 9f 5c 56 7b 0a fa
> Code:       Access-Request
> Identifier: 81
> Authentic:  Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
> Attributes:
>         User-Name = "wifi"
>         NAS-IP-Address = 192.168.51.30
>         Called-Station-Id = "00-20-a6-49-21-58"
>         Calling-Station-Id = "00-02-2d-37-76-e0"
>         NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-IEEE-802-11
>         EAP-Message =
> <2><11><0>&<25><0><23><3><1><0><27>QFh<141><251><247><190>{@J<220><227
> ><159> <143><176><244><2><182>c<2>U<0><179>xq<2><244>
>         Message-Authenticator =
> <150><195>t<144>-<181><225><179><128><179><159>\V{<10><250>
>  
> Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler ''
> Thu Jun 16 13:16:30 2005: DEBUG:  Deleting session for wifi, 
> 192.168.51.30, Thu Jun 16 13:16:30 2005: DEBUG: Handling with
Radius::AuthFILE:
> Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 11, 38 Thu 
> Jun 16 13:16:30 2005: DEBUG: Response type 25 Thu Jun 16 13:16:30 
> 2005: DEBUG: EAP result: 0, Thu Jun 16 13:16:30 2005: DEBUG: Access 
> accepted for wifi Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
> *** Sending to 192.168.51.30 port 6001 ....
>  
> Packet length = 160
> 02 51 00 a0 eb bd e9 e4 20 93 07 7a 8f 78 69 a2 4f 4a 6b d0 4f 06 03 
> 0b 00 04 50 12 3a 1c a6 3b 3b 0e f4 5d 40 c8 7b 62 3d 83 91 c1 1a 3a 
> 00 00
> 01 37 10 34 a7 dc e4 91 cc d0 9c d9 75 bf 2c 70 ef 4c 0b 2d 73 86 bf 
> 2c dc e3 23 d3 22 e6 d5 d5
> e4 47 7a bc a7 15 46 1c c9 92 62 70 bd f6 b7 af
> 25 0b 36 66 1d 66 1a 3a 00 00 01 37 11 34 a5 af 7a e8 0a ed d5 08 c8 
> 70 71 7b 68 d6 56 1f 81 f6
> e6 78 1b 76 8e 48 83 a7 85 8e bf 02 11 74 e5 a1 ba b3 e3 2f d7 33 b1 
> 0f 2b 79 08 0b a0 2f 7e b2
> Code:       Access-Accept
> Identifier: 81
> Authentic:  Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
> Attributes:
>         EAP-Message = <3><11><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         MS-MPPE-Send-Key =
> "<167><220><228><145><204><208><156><217>u<191>,p<239>L<11>-s<134><191
> >,<220
> ><227>#<211>"<230><213><213><228>Gz<188><167><21>F<28><201><146>bp<189
> >><246>
> <183><175>%<11>6f$
>         MS-MPPE-Recv-Key =
> "<165><175>z<232><10><237><213><8><200>pq{h<214>V<31><129><246><230>x<
> 27>v<1
> 42>H<131><167><133><142><191><2><17>t<229><161><186><179><227>/<215>3<
> 42>177><1
> 5>+y<8><11><160>/$
> [/end]
>  
> Thanks in advance.
>  
> --
> Warm Regards,
> Kheng Teong, Lim
>  
> Chief Information Officer
> UberFusion Sdn. Bhd.
> -----------------------------------------------------------
> UberFusion Sdn. Bhd.
> No. 119, (3rd Floor) Jalan SS6/12,
> Kelana Jaya Urban Centre,
> 47301 Petaling Jaya,
> Selangor Darul Ehsan, MALAYSIA.
> Tel: 03-7880 6580 / Fax: 03-7880 6590
> http://www.uberfusion.com <http://www.uberfusion.com/>
> ------------------------------------------------------------

---
[This E-mail has been scanned for viruses]

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list