Two-phase, "pass-thru" authentication possible?

cwfnetman Neal.Howard at wichitafallstx.gov
Thu Jun 16 00:15:32 CEST 2011


I've got an interesting problem to try to solve and was curious if such a
concept is even possible with FreeRadius.

I've got to implement mac address filtering to a Cisco WiFi (WLC plus
numerous LWAPPs) system that also requires Active Directory authentication
of the Windows credentials of the user plus the wireless client workstation
machine's AD account. Presently I'm using Microsoft IAS on a Windows 2003
server to act as my Windows AD radius server.  Implementing the additional
mac address filtering isn't my idea, so please refrain from questioning why.
I know it really does nothing for true security, but I'm ordered to do so my
authorities above me, so I must implement this mandate just because... well
it's now become mandatory for my job.

A problem is that the mac addresses of the wifi interfaces in all the
various workstations are not always rigidly assigned to any particular
laptop PC, the WiFi adapters in the set of client PCs are subject to
frequent change and movement around the pool of PCs, so basically I need a
simple whitelist (several hundred mac addresses) to validate against. If the
incoming mac address on the authentication request is simply somewhere on
the whitelist (anywhere within those hundreds of addresses), then I next
need to authenticate the Windows AD credentials, and if they're good, and in
a certain AD group, and their domain member workstation PC is in a certain
machine account group, etc, etc, according to the set of remote access
policies in the IAS server,  then go ahead and "let 'em in".

So, can FreeRadius be set up to perform a sort of two-phase, cascaded
authentication such that the Cisco WiFi controller first sends the incoming
authentication access-request to FreeRadius, which checks a big whitelist of
pre-approved mac addresses, and if that tests good, then FreeRadius acts as
a relay/proxy/radius client to pass the next ActiveDirectory authentication
portion of the request off to my Windows IAS server, then if that part comes
back good, to reassemble all the pieces-parts back together as a completed
access-accept message and hand it back to the Cisco wireless system to let
the wireless user in, and basically fool the Cisco WiFi system into thinking
that one Radius server handled it all? 

--
View this message in context: http://freeradius.1045715.n5.nabble.com/Two-phase-pass-thru-authentication-possible-tp4492840p4492840.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list