Martin.Ward@uk.neceur.com wrote:
I have a wireless LAN switch which has access points ( APs ) connected to it. When a laptop first connects to an AP that AP sends a RADIUS request through the WLAN switch to the RADIUS server, passing the MAC address of the laptop as the User-Name and also as the User-Password. I have a simple flat file with all the allowed MAC addresses in it, and the passwd module is being used to verify that the MAC address is in that flat file. This works well.
OK...
Now because the WLAN switch is configured to use RADIUS to authenticate laptops, it also uses it to authenticate logins to the switch itself, I haven't found a way around this and don't think there is one.
The "access point login" packets will be different from the "mac address login" packets. Use those differences as a key to decide when to allow MAC address authentication.
2. The proper administrators, and the default administration login itself, have to be put in to the flat file I mentioned above to allow the administrators access to the switch. The switch won't use its own internal user and password list. This causes another security breach as we would have to leave administrator logins and passwords lying around in flat files, which is extremely insecure and just begging to be broken.
So use crypt'd passwords in FreeRADIUS.
Investigation reveals that when the AP passes the RADIUS request in, the request sets 'NAS-Port-Type = Wireless-802.11' and the NAS-Port-ID to the correct port value, while when the switch requests a login to be authenticated the request contains 'NAS-Port-Type = Virtual', and doesn't have the NAS-Port-ID or NAS-Indentifier parameters set.
There you go.
So, it seems I have lots of information to help me define if a RADIUS request is coming from an access point (which requires MAC address validation) or from the switch (which requires login username and password validation), but I can't find a way of verifying via passwd OR Unix module, only via both.
See doc/Autz-Type In the "users" file, do: DEFAULT NAS-Port-Type == Virtual, Auth-Type := System DEFAULT NAS-Port-Type == Wireless-802.11, Autz-Type := bar DEFAULT Auth-Type := Reject Then in radiusd.conf, "authorize" section, add at the bottom: Autz-type bar { passwd } And it should work.
Is what I am after possible, or do I just not understand the way RADIUS servers work?
It's possible. You've described the problem and the information you have well. All you need is pointers to the docs & sample configurations. Alan DeKok.