On Jun 7, 2019, at 3:06 PM, Duncan X Simpson <virtualdxs@gmail.com> wrote:
I have a FreeRADIUS server with a SQL backend. It's running authentication for an 802.1X wifi network, and soon our VPN. Currently, when somebody logs in it drops them on our main VLAN (not retrieved from RADIUS yet; set statically on the NAS). I have set up groups that will be tied to VLANs, but I would like to increase security by doing this:
User has permissions to access either VLAN 1 or 2, 2 being a privileged VLAN, but only pre-approved devices are allowed on VLAN2. There is a list (ideally in SQL) of MAC addresses of these devices.
- User successfully authenticates as user - FreeRADIUS does not find the MAC address of the client in the list - User gets dropped onto VLAN 1
- User successfully authenticates as user - FreeRADIUS finds the MAC address of the client in the list - User gets dropped onto VLAN 2
That should be pretty simple. Put the MAC addresses into a database, and have FreeRADIUS check the database. if ("%{sql:SELECT MAC from known_macs WHERE MAC = %{Calling-Station-Id}") { ... add to VLAN 2 ... } else { ... add to VLAN 1 ... } You'll have to create your own table, and do some more tests. But that's the basic idea.
It would also work if the user needed to add a suffix, say .privileged, in order to get to VLAN2 (a la hints file) and it rejected them entirely rather than dropping them on VLAN1 if they provided that but the device wasn't authorized.
Mangling the user name is usually a bad idea. Alan DeKok.