[RADIATOR] another interesting project

Hugh Irvine hugh at open.com.au
Sun Jun 20 10:52:04 CDT 2010 

Hello Everyone -

I have recently completed an interesting project for an international bank that may be of interest to some of you.

The bank has a requirement to provide increased internal network security across its entire wired network.

This involves replacing all LAN port switches with EAP enabled devices such that all ports enforce authentication prior to enabling network traffic.

The EAP enbled LAN switches are configured for EAP RADIUS with Radiator as the central RADIUS server.

All desktop and laptop PC's are configured for Windows PEAP and all computer users are authenticated against Active Directory.

An additional requirement is to provide the same EAP restrictions for IP phones and printers. This is obviously to prevent unauthorised misuse of LAN ports used by phones and printers.

Cisco IP phones are employed and they support EAP-MD5, while a number of printers with various types of EAP support are being tested.

To support these (and other) devices, Active Directory has been extended with an Organisational Unit (OU) for Devices, with OU's for Printers and Phones within it.

The Cisco IP Phones send a special User-Name in the EAP requests that includes the MAC address of the phone.

The skeleton Radiator configuration file follows:

…..

# Handler for Cisco IP Phones

<Handler EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/>
	…..
</Handler>

# Inner PEAP Packet Handlers

<Handler TunnelledByPEAP=1>
	…..
</Handler>

# Outer PEAP Packet Handler

<Handler EAP-Message = /.+/>
	<AuthBy FILE>
		EAPType PEAP
		…..
	</AuthBy>
</Handler>

# default Handler for normal RADIUS

<Handler>
	<AuthBy LSA>
			…..
	</AuthBy>
</Handler>


We anticipate that most organisations will be moving to secure wired LAN infrastructure over the next few years.

regards

Hugh


NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list