(RADIATOR) Possible to have both MAC Address Authentication AND 802.1x (EAP-PEAP) at the same time?
Hugh Irvine
hugh at open.com.au
Fri Jun 17 07:06:09 CDT 2005
Hello Kheng Teong -
You can easily do both MAC address verification and EAP by using two
AuthBy clauses.
Something like this:
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
# verify MAC address
.....
NoEap
......
</AuthBy>
<AuthBy SQL>
# verify username and password
.......
EAPType PEAP
</AuthBy>
hope that helps
regards
Hugh
On 17 Jun 2005, at 13:03, Kheng Teong, Lim wrote:
> Thanks for your reply.
>
> The Local Wireless LAN was previously secured using:
> - MAC Address lockdown on the AP-2000's itself (quite a few units,
> so manual
> task)
> - 128-bit WEP Encryption
>
> We're now migrating to a centralized solution using Radiator,
> therefore:
> - MAC Address lockdown on the AP-2000 via centralized RADIUS AAA
> (insert
> entries once only)
> - 802.1x (EAP-PEAP) using Windows XP SP1+ supplicants (centralized
> server
> certificate, only requires username/password on client side)
>
> I agree, MAC address can be easily spoofed, but it does provide an
> additional albeit weak layer of security. But nonetheless, it is
> another
> layer :-)
> We couple this with 802.1x (EAP-PEAP) which replaces static WEP and
> its
> definitely more secure than the previous environment.
>
> We script the front-end in such a way, when a user account is
> created, it
> does the following:
> 1) it enters the MAC Address into the MySQL table for RADIUS
> authentication
> (AP-2000 RADIUS MAC authentication)
> 2) it enters the username/password into the MySQL table for 802.1x
> authentication/encryption (AP-2000 802.1x TKIP)
> 3) it enters the MAC Address into a DHCPD config file for static IP
> address
> assignment
>
> Still open to suggestions on how to have both MAC Address
> Authentication AND
> 802.1x (EAP-PEAP) at the same time?
>
> Thanks all.
>
> --
> Warm Regards,
> Kheng Teong, Lim
>
> Chief Information Officer
> UberFusion Sdn. Bhd.
> -----------------------------------------------------------
> UberFusion Sdn. Bhd.
> No. 119, (3rd Floor) Jalan SS6/12,
> Kelana Jaya Urban Centre,
> 47301 Petaling Jaya,
> Selangor Darul Ehsan, MALAYSIA.
> Tel: 03-7880 6580 / Fax: 03-7880 6590
> http://www.uberfusion.com
> ------------------------------------------------------------
>
> -----Original Message-----
> From: Bon sy [mailto:bon at bunny.cs.qc.edu]
> Sent: Friday, June 17, 2005 8:52 AM
> To: Kheng Teong, Lim
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Possible to have both MAC Address
> Authentication AND
> 802.1x (EAP-PEAP) at the same time?
>
> Hi,
> Would you mind to share the rationale behind autenticating via MAC
> address and 802.1X? Coincidently, we deployed Proxim AP-200 and
> Radiator as
> well, except we authenticate users via 802.1X EAP-TLS.
>
> Suppose your EAP-PEAP enforces authentication via some sort of
> password (token), it may make sense to introduce a two-factor
> authentication
> since a user can literally share the password (token) with someone
> else if
> this is the concern. However, cloning MAC address is not difficult
> at all in
> both Windows and Linux. A student of mind find this wonderful
> freeware in
> the Internet called ebtables (http://ebtables.sourceforge.net/ )
> that allows
> one to easily change the MAC address. Having said, MAC address
> authentication does not really do much to serve as the "second"
> factor for
> authentication.
>
> But then there could be other business operational reason(s) for
> that in your environment that I am totally unaware. Otherwise,
> using, for
> example, voice/finger print may be a more worthwhile choice of the
> second
> factor for authentication.
>
> Bon
>
>
>
> On Fri, 17 Jun 2005, Kheng Teong, Lim wrote:
>
>
>> We are trying to setup authentication for a Local Wireless LAN using:
>> - Radiator
>> - Proxim AP-2000
>>
>> We want users to authenticate via MAC Address AND 802.1x (EAP-PEAP)
>> encryption at the same time.
>> ie: The user's notebook's wlan card must be authorized to connect to
>> the AP-2000, followed with 802.1x. If either one fails, they don't
>> get
>> connectivity, they must pass both schemes.
>> Is this situation possible?
>>
>> Currently, the user can fail the MAC address check but pass the
>> 802.1x
>> (EAP-PEAP) authentication/encryption and still have access to the
>> network.
>> In the sample users file below, the first line is for MAC address
>> check (User-Password is the secret for Radiator)
>>
>> [sample users file]
>> 00-02-2d-37-76-e1 User-Password="test123"
>> wifi User-Password=wifi
>> [/end]
>>
>> [sample radius.cfg file]
>> # eap_peap.cfg
>>
>> LogStdout
>> Trace 5
>>
>> AuthPort 1812
>> AcctPort 1813
>>
>> BindAddress 192.168.1.11
>>
>> # User radiator
>> # Group radiator
>>
>> LogDir /var/log/radius
>> DbDir /etc/radiator
>>
>> <Client DEFAULT>
>> Secret test123
>> DupInterval 2
>> </Client>
>>
>> <Handler TunnelledByPEAP=1>
>> AcctLogFileName %L/detail
>> <AuthBy FILE>
>> Filename %D/users
>> EAPType MSCHAP-V2
>> </AuthBy>
>> </Handler>
>>
>> <Handler>
>> <AuthBy FILE>
>> Filename %D/users
>> EAPType PEAP
>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> EAPTLS_PrivateKeyPassword whatever
>> EAPTLS_MaxFragmentSize 1024
>>
>> AutoMPPEKeys
>> SSLeayTrace 4
>> EAPTLS_PEAPVersion 0
>> </AuthBy>
>> </Handler>
>> [/end]
>>
>> [sample logfile]
>> Thu Jun 16 13:15:57 2005: DEBUG: Reading users file
>> /etc/radiator/users Thu Jun 16 13:15:57 2005: DEBUG: Reading users
>> file /etc/radiator/users Thu Jun 16 13:15:57 2005: DEBUG: Finished
>> reading configuration file '/etc/radiator/radius.cfg'
>> Thu Jun 16 13:15:57 2005: DEBUG: Reading dictionary file
>> '/etc/radiator/dictionary'
>> Thu Jun 16 13:15:58 2005: DEBUG: Creating authentication port
>> 0.0.0.0:1812 Thu Jun 16 13:15:58 2005: DEBUG: Creating accounting
>> port
>> 0.0.0.0:1813 Thu Jun 16 13:15:58 2005: NOTICE: Server started:
>> Radiator 3.8 on AAAtlas Thu Jun 16 13:16:28 2005: DEBUG: Packet dump:
>> *** Received from 192.168.51.30 port 6001 ....
>>
>> Packet length = 69
>> 01 47 00 45 cd 34 00 00 36 36 00 00 07 3e 00 00
>> d9 15 00 00 01 13 30 30 2d 30 32 2d 32 64 2d 33
>> 37 2d 37 36 2d 65 30 02 12 61 45 dc e1 99 c8 10
>> 98 af 85 7d 38 de 0c 08 a1 04 06 c0 a8 33 1e 05
>> 06 00 00 00 00
>> Code: Access-Request
>> Identifier: 71
>> Authentic: <205>4<0><0>66<0><0><7>><0><0><217><21><0><0>
>> Attributes:
>> User-Name = "00-02-2d-37-76-e0"
>> User-Password =
>> "aE<220><225><153><200><16><152><175><133>}8<222><12><8><161>"
>> NAS-IP-Address = 192.168.51.30
>> NAS-Port = 0
>>
>> Thu Jun 16 13:16:28 2005: DEBUG: Handling request with Handler ''
>> Thu Jun 16 13:16:28 2005: DEBUG: Deleting session for
>> 00-02-2d-37-76-e0, 192.168.51.30, 0 Thu Jun 16 13:16:28 2005: DEBUG:
>> Handling with Radius::AuthFILE:
>> Thu Jun 16 13:16:28 2005: DEBUG: Radius::AuthFILE looks for match
>> with
>> 00-02-2d-37-76-e0 Thu Jun 16 13:16:28 2005: INFO: Access rejected for
>> 00-02-2d-37-76-e0: No such user Thu Jun 16 13:16:28 2005: DEBUG:
>> Packet dump:
>> *** Sending to 192.168.51.30 port 6001 ....
>>
>> Packet length = 36
>> 03 47 00 24 68 20 6d 7c 01 b5 a1 1d 5b 99 c0 f2
>> d4 13 2f d9 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64
>> Code: Access-Reject
>> Identifier: 71
>> Authentic: <205>4<0><0>66<0><0><7>><0><0><217><21><0><0>
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>> ~~~some parts snipped~~~
>>
>> Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
>> *** Received from 192.168.51.30 port 6001 ....
>>
>> Packet length = 157
>> 01 50 00 9d 59 38 00 00 7b 3b 00 00 03 3f 00 00
>> e6 71 00 00 01 06 77 69 66 69 04 06 c0 a8 33 1e 1e 13 30 30 2d 32 30
>> 2d 61 36 2d 34 39 2d 32 31 2d 35 38 1f 13 30 30 2d 30 32 2d 32 64 2d
>> 33 37 2d 37 36 2d 65 30 20 1a 4f 52 69 4e 4f 43 4f 2d
>> 41 50 2d 32 30 30 30 2d 34 39 2d 32 31 2d 35 38 0c 06 00 00 05 78 3d
>> 06 00 00 00 13 4f 1f 02 0a 00 1d 19 00 17 03 01 00 12 f0 e0 c7 94 70
>> 1f 60 1f cd fc 24 69 04 78 e7 bb 6f ee 50 12 fb 9a 0b
>> 43 d7 b8 b0 96 d9 d1 82 ef 8b 48 f3 de
>> Code: Access-Request
>> Identifier: 80
>> Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
>> Attributes:
>> User-Name = "wifi"
>> NAS-IP-Address = 192.168.51.30
>> Called-Station-Id = "00-20-a6-49-21-58"
>> Calling-Station-Id = "00-02-2d-37-76-e0"
>> NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
>> Framed-MTU = 1400
>> NAS-Port-Type = Wireless-IEEE-802-11
>> EAP-Message =
>> <2><10><0><29><25><0><23><3><1><0><18><240><224><199><148>p<31>`<31><
>> 2
>> 05><25
>> 2>$i<4>x<231><187>o<238>
>> Message-Authenticator =
>> <251><154><11>C<215><184><176><150><217><209><130><239><139>H<243><22
>> 2
>>
>>>
>>>
>>
>> Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler ''
>> Thu Jun 16 13:16:30 2005: DEBUG: Deleting session for wifi,
>> 192.168.51.30, Thu Jun 16 13:16:30 2005: DEBUG: Handling with
>>
> Radius::AuthFILE:
>
>> Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 10, 29
>> Thu
>> Jun 16 13:16:30 2005: DEBUG: Response type 25 Thu Jun 16 13:16:30
>> 2005: DEBUG: EAP PEAP inner authentication request for anonymous Thu
>> Jun 16 13:16:30 2005: DEBUG: PEAP Tunnelled request Packet dump:
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic:
>> <186><196><12><20><19><211>(m[B<170><23><14><216><226><140>
>> Attributes:
>> EAP-Message = <2><10><0><2><26><3>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> User-Name = "anonymous"
>> NAS-IP-Address = 192.168.51.30
>> NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
>> Calling-Station-Id = "00-02-2d-37-76-e0"
>>
>> Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1'
>> Thu Jun 16 13:16:30 2005: DEBUG: Deleting session for ,
>> 192.168.51.30, Thu Jun 16 13:16:30 2005: DEBUG: Handling with
>>
> Radius::AuthFILE:
>
>> Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 10, 2 Thu
>> Jun 16 13:16:30 2005: DEBUG: Response type 26 Thu Jun 16 13:16:30
>> 2005: DEBUG: EAP result: 0, Thu Jun 16 13:16:30 2005: DEBUG: Access
>> accepted for anonymous Thu Jun 16 13:16:30 2005: DEBUG: EAP
>> result: 3,
>> EAP PEAP inner authentication redespatched to a Handler Thu Jun 16
>> 13:16:30 2005: DEBUG: Access challenged for wifi: EAP PEAP inner
>> authentication redespatched to a Handler Thu Jun 16 13:16:30 2005:
>> DEBUG: Packet dump:
>> *** Sending to 192.168.51.30 port 6001 ....
>>
>> Packet length = 78
>> 0b 50 00 4e 89 27 13 11 5a 52 f1 4a 15 09 3e b4 3f 33 37 d0 4f 28 01
>> 0b 00 26 19 00 17 03 01 00 1b fd fd 64 3a 50 58 2f 02 72 9c 42 f8 84
>> 34 2f 70 2b f0 8f 0d f5 7b fd ec 31 bd 75 50 12 b5 1c
>> 93 af 20 42 da 4f 9f 38 e2 9a c0 be 2e 0f
>> Code: Access-Challenge
>> Identifier: 80
>> Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
>> Attributes:
>> EAP-Message =
>> <1><11><0>&<25><0><23><3><1><0><27><253><253>d:PX/
>> <2>r<156>B<248><132>
>> 4/p+<2
>> 40><143><13><245>{<253><236>1<189>u
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
>> *** Received from 192.168.51.30 port 6001 ....
>>
>> Packet length = 166
>> 01 51 00 a6 59 38 00 00 7b 3b 00 00 03 3f 00 00
>> e6 71 00 00 01 06 77 69 66 69 04 06 c0 a8 33 1e 1e 13 30 30 2d 32 30
>> 2d 61 36 2d 34 39 2d 32 31 2d 35 38 1f 13 30 30 2d 30 32 2d 32 64 2d
>> 33 37 2d 37 36 2d 65 30 20 1a 4f 52 69 4e 4f 43 4f 2d
>> 41 50 2d 32 30 30 30 2d 34 39 2d 32 31 2d 35 38 0c 06 00 00 05 78 3d
>> 06 00 00 00 13 4f 28 02 0b 00 26 19 00 17 03 01 00 1b 51 46 68 8d fb
>> f7 be 7b 40 4a dc e3 9f 8f b0 f4 02 b6 63 02 55 00 b3
>> 78 71 02 f4 50 12 96 c3 74 90 2d b5 e1 b3 80 b3 9f 5c 56 7b 0a fa
>> Code: Access-Request
>> Identifier: 81
>> Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
>> Attributes:
>> User-Name = "wifi"
>> NAS-IP-Address = 192.168.51.30
>> Called-Station-Id = "00-20-a6-49-21-58"
>> Calling-Station-Id = "00-02-2d-37-76-e0"
>> NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
>> Framed-MTU = 1400
>> NAS-Port-Type = Wireless-IEEE-802-11
>> EAP-Message =
>> <2><11><0>&<25><0><23><3><1><0><27>QFh<141><251><247><190>
>> {@J<220><227
>>
>>> <159> <143><176><244><2><182>c<2>U<0><179>xq<2><244>
>>>
>> Message-Authenticator =
>> <150><195>t<144>-<181><225><179><128><179><159>\V{<10><250>
>>
>> Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler ''
>> Thu Jun 16 13:16:30 2005: DEBUG: Deleting session for wifi,
>> 192.168.51.30, Thu Jun 16 13:16:30 2005: DEBUG: Handling with
>>
> Radius::AuthFILE:
>
>> Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 11, 38
>> Thu
>> Jun 16 13:16:30 2005: DEBUG: Response type 25 Thu Jun 16 13:16:30
>> 2005: DEBUG: EAP result: 0, Thu Jun 16 13:16:30 2005: DEBUG: Access
>> accepted for wifi Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
>> *** Sending to 192.168.51.30 port 6001 ....
>>
>> Packet length = 160
>> 02 51 00 a0 eb bd e9 e4 20 93 07 7a 8f 78 69 a2 4f 4a 6b d0 4f 06 03
>> 0b 00 04 50 12 3a 1c a6 3b 3b 0e f4 5d 40 c8 7b 62 3d 83 91 c1 1a 3a
>> 00 00
>> 01 37 10 34 a7 dc e4 91 cc d0 9c d9 75 bf 2c 70 ef 4c 0b 2d 73 86 bf
>> 2c dc e3 23 d3 22 e6 d5 d5
>> e4 47 7a bc a7 15 46 1c c9 92 62 70 bd f6 b7 af
>> 25 0b 36 66 1d 66 1a 3a 00 00 01 37 11 34 a5 af 7a e8 0a ed d5 08 c8
>> 70 71 7b 68 d6 56 1f 81 f6
>> e6 78 1b 76 8e 48 83 a7 85 8e bf 02 11 74 e5 a1 ba b3 e3 2f d7 33 b1
>> 0f 2b 79 08 0b a0 2f 7e b2
>> Code: Access-Accept
>> Identifier: 81
>> Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
>> Attributes:
>> EAP-Message = <3><11><0><4>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> MS-MPPE-Send-Key =
>> "<167><220><228><145><204><208><156><217>u<191>,p<239>L<11>-
>> s<134><191
>>
>>> ,<220
>>> <227>#<211>"<230><213><213><228>Gz<188><167><21>F<28><201><146>bp<18
>>> 9
>>>
>>>> <246>
>>>>
>> <183><175>%<11>6f$
>> MS-MPPE-Recv-Key =
>> "<165><175>z<232><10><237><213><8><200>pq
>> {h<214>V<31><129><246><230>x<
>> 27>v<1
>> 42>H<131><167><133><142><191><2><17>t<229><161><186><179><227>/
>> <215>3<
>> 42>177><1
>> 5>+y<8><11><160>/$
>> [/end]
>>
>> Thanks in advance.
>>
>> --
>> Warm Regards,
>> Kheng Teong, Lim
>>
>> Chief Information Officer
>> UberFusion Sdn. Bhd.
>> -----------------------------------------------------------
>> UberFusion Sdn. Bhd.
>> No. 119, (3rd Floor) Jalan SS6/12,
>> Kelana Jaya Urban Centre,
>> 47301 Petaling Jaya,
>> Selangor Darul Ehsan, MALAYSIA.
>> Tel: 03-7880 6580 / Fax: 03-7880 6590
>> http://www.uberfusion.com <http://www.uberfusion.com/>
>> ------------------------------------------------------------
>>
>
> ---
> [This E-mail has been scanned for viruses]
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list