[RADIATOR] EAP-TTLS and MAC tracking

Heikki Vatiainen hvn at open.com.au
Wed Apr 25 16:06:40 CDT 2012


On 04/25/2012 06:54 PM, James Austin wrote:

> We currently use Radiator username and pwd via EAP-TTLS to authenticate WiMAX CPE's on our WiMax network.
> 
> This works fine.  
> 
> Our users would like all of their CPE's to have the same uname/pwd. The problem we are trying to address is possible theft of the CPE by someone who then uses it to enter our network.
> 
> I would like to know if there is a way to associate the uname/pwd with the device MAC address in the MySQL database so we could easily remove/block access for the MAC address of the  stolen device.

You could consider modifying the AuthSelect statement so that it will
start returning the MAC address. You are already storing the MAC in the
database, is this correct?

When this is done make sure the Calling-Station-Id (is this the
attribute that carries the CPE MAC?) is put into inner TTLS request so
that it is available in AuthBy that TunnelledByTTLS=1 Handler uses. This
can be done with hook that goes into outer Handler's AuthBy where all
the EAPTLS_* parameters are.

  PreHandlerHook sub { \
      my $tp = ${$_[0]}; \
      $tp->add_attr('Calling-Station-Id', \
      $tp->{outerRequest}->get_attr('Calling-Station-Id')); }

Once the debug log shows Calling-Station-Id is correctly inserted in the
inner tunnelled request, you can add AuthColumnDef for check as
described in section "5.34.1 AuthSelect" in the current Radiator
reference manual.

Thanks!
Heikki

> We use RAdmin for management of the RADIUS accounts.
> 
> Thanks,
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list