802.1x computer authentication config issue/question
Hi, First post and new to FreeRadius though have been using RADIUS in the Windows world for many years. I have a small network with a Linux server and a mix of Windows XP and Windows 7 laptops that I am trying to run 802.1x authentication on. I only want to use computer/machine auth (user auth handled elsewhere) so I have FreeRADIUS set up to use EAP-TLS. I have the CA cert and the appropriate client certs installed on the laptops and appropriate client configurations for the switch and AP. I've also config'd the laptops to use machine auth only. 802.1x appears to be working; any laptop with the certs/config is able to access the wired and/or wireless network and any laptop without is denied access. However, in my previous experience with RADIUS (IAS/NPS in the Windows world), I am able to control access at a policy level as well; any machine not part of a specific group is denied access, regardless of what certificate is installed and what configuration is present on the laptop. I played around with the users file in FreeRADIUS but it didn't seem to have any effect unless I put a DEFAULT Auth-Type Reject in the file which blocked everyone regardless of what else I had in the users file. I've Googled around a bit but haven't found any definitive guides on how I would do a FreeRADIUS analog to Windows IAS/NPS policies other than having to include ldap servers and/or other types of external authentication systems which I'm not really interested (at this point) in doing. Guessing that I'm missing something so hoping that someone elss has done this or can guide me in how to do local (to the RADIUS server) machine policies - I just want to be able to say "laptop1234...", etc are part of a local group and are authorized (provided that they are properly provisioned with certs, etc). Any thoughts - thanks in advance :)
spartan1833@hushmail.com wrote:
802.1x appears to be working; any laptop with the certs/config is able to access the wired and/or wireless network and any laptop without is denied access. However, in my previous experience with RADIUS (IAS/NPS in the Windows world), I am able to control access at a policy level as well; any machine not part of a specific group is denied access, regardless of what certificate is installed and what configuration is present on the laptop.
You can do that in FreeRADIUS, too. You can do LDAP group comparisons: http://wiki.freeradius.org/modules/Rlm_ldap
I played around with the users file in FreeRADIUS but it didn't seem to have any effect unless I put a DEFAULT Auth-Type Reject in the file which blocked everyone regardless of what else I had in the users file.
Well... playing around isn't useful. You need to first define the problem, and then look for a solution. The problem here seems to be looking up groups in LDAP, right? So... configure the LDAP module. Read it's documentation.
I've Googled around a bit but haven't found any definitive guides on how I would do a FreeRADIUS analog to Windows IAS/NPS policies other than having to include ldap servers and/or other types of external authentication systems which I'm not really interested (at this point) in doing.
Are groups are stored in LDAP? If so, you need to configure FreeRADIUS to talk to the LDAP server.
Guessing that I'm missing something so hoping that someone elss has done this or can guide me in how to do local (to the RADIUS server) machine policies - I just want to be able to say "laptop1234...", etc are part of a local group and are authorized (provided that they are properly provisioned with certs, etc).
Where are those groups defined? Right now, your question is "I want to do stuff but I don't know how". You need to describe what you want to do, in detail. Alan DeKok.
On 12/27/2012 02:32 PM, spartan1833@hushmail.com wrote:
I played around with the users file in FreeRADIUS but it didn't seem to have any effect unless I put a DEFAULT Auth-Type Reject in the file which blocked everyone regardless of what else I had in the users file. I've Googled around a bit but haven't found any definitive guides on how I would do a FreeRADIUS analog to Windows IAS/NPS policies other than having to include ldap servers and/or other types of external authentication systems which I'm not really interested (at this point) in doing.
LDAP is not an authentication system (not really). It's a directory, which is a form of database. You are, obviously, going to need some form of "database" in which your policy "memberships" are stored; FreeRADIUS provides several built-in modules (LDAP, SQL, files, passwd-style) that can do this. However - you're going to run into the fact that EAP-TLS as implemented in the 2.x branch doesn't offer very much in the way of authorization - the only place you can run a database lookup and be sure you have the TLS cert details is post-auth (a virtual server step was added in master/3.x). Basically: 1. Define a local attribute in raddb/dictionary to hold your groups. Note carefully the stuff in the default dictionary file about local attribute numbers. 2. Configure one of the various data lookup modules (passwd and files are the simplest but least flexible) to lookup the groups based on the TLS cert attributes (see below) 3. Run this module in the post-auth section, and act on the result. raddb/sites-available/default contains comments to this effect in post-auth - search for "TLS-Client" in that file, which also tells you the various TLS cert attributes you can use. About the only difficult bit is step 2; I thought I'd written something in the wiki about this, but I can't find it (and I can't log in anymore). If you've got a more specific question, I'll try to reply, but you'll need to do a bit of research into the various "database" modules and decide which one you want to use first.
participants (3)
-
Alan DeKok -
Phil Mayers -
spartan1833ï¼ hushmail.com