Domain Group Authentication

Brian Julin BJulin at clarku.edu
Wed Dec 28 04:31:04 CET 2011 

Automate an export of the list of WiFi MAC addresses of your managed computers from the DC.  Then in post-auth, query that list (we use an SQL database) and use the result to alter the tunnel-group-ID sent back in the outer reply.  Users can spoof their MAC addresses, of course, but as long as you are doing this mainly to contain contagion rather than high security, it is satisfactory.

The other option in a managed environment is of course to use TLS for the managed computers and install certs.  You could even embed the MAC address into the cert and check that that matches the Calling-Station-ID.  Still spoofable, of course, but barring a hardware crypto solution, everything is to a pro.

________________________________________
From: freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org [freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org] On Behalf Of McSparin, Joe [jmcsparin at hillcountrymemorial.org]
Sent: Tuesday, December 27, 2011 5:51 PM
To: FreeRadius users mailing list
Subject: Domain Group Authentication

I currently have FreeRadius setup to authenticate agains Active Directory and it works great.  I was wondering though for everyone out there using it if you had any reccomendations for this scenario:

I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices.  I also however have doctors that will bring in their own laptops and connect.  When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices.  If they are connecting with their laptops even though they use their Ntdomain user name and password I want to restrict them to a public vlan.


Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcsparin at hillcountrymemorial.org

________________________________
This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.

More information about the Freeradius-Users mailing list