Re: must i use rlm_ldap to use groups/ou via winbind/Active Directory?
.
That depends on capabilities of your equipment. This how Cisco implements it:
www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
Other vendors have more on less the same. It is enabled on some models and not on others.
Thanks for this.
So this policy would check the huntgroup that the NAS was a member of and then go on to check if the users was part of the proper Ldap-Group and assuming that both were true then access would be granted. I am still not clear how some hunt groups will always require a host cert and others never will. Is this set in the hunt group?
No, on the equipment. Your setup is such that you have to enforce (enable/disable) it on hardware. If you would require certificates for access to all hardware you could enforce it with AD Group Policy. Like this students don't need machine certificates for wireless access. So, you should enable mac auth bypass on your student APs. Most APs should have such feature.You should make students register mac address of their wireless equipment if they want to connect.
Hmm. I don't think I like this approach for a couple of reasons, perhaps you can let me know if I am thinking about this incorrectly. We already use mac address as an auth scheme and I want to move away from this because of the ease of mac spoofing in a wireless environment. That's why I hoped to move to username/password authentication with WPA2 that was centrally managed via freeradius <=> Active Directory. I currently have a fairly central way to manage access by mac, but I would have to give that up if I had to maintain a mac address table on each NAS. I guess I could add a list of allowed mac addresses in the freeradius/users file and maintain it from there? Just so I understand you clearly, we can't have 1 class of users who must use host certs via NAS A and another class of uses who never have to use certs via NAS B on the same freeradius server? If that is the case I think I might want to set up a second instance of Freeradius and point the NAS that don't require host certs at that one. I could simply mint another virtual freeradius instance in freeradius/sites-enabled couldn't I? If I have this all muddled up, I hope you'll straighten me out. Thanks for all of your help. John
Hmm. I don't think I like this approach for a couple of reasons, perhaps you can let me know if I am thinking about this incorrectly.
We already use mac address as an auth scheme and I want to move away from this because of the ease of mac spoofing in a wireless environment. That's why I hoped to move to username/password authentication with WPA2 that was centrally managed via freeradius <=> Active Directory.
Fine. But what about authenticating machines? They do get to the NAS first.
I currently have a fairly central way to manage access by mac, but I would have to give that up if I had to maintain a mac address table on each NAS. I guess I could add a list of allowed mac addresses in the freeradius/users file and maintain it from there?
Yes. It's of no particular relevance for mac authentication if addresses are stored locally or with radius server.
Just so I understand you clearly, we can't have 1 class of users who must use host certs via NAS A and another class of uses who never have to use certs via NAS B on the same freeradius server?
Radius server is irrelevant. Authentication protocol is negotiated *solely* by NAS and supplicant. For dot1x equipment you usually have three options: - EAP: everybody has to do EAP - machines usually do certificates and people certs or user/pass - EAP + mac auth bypass: PAP is allowed for known mac addresses; everybody else has to do EAP - so called "open" authentication: free for all - port authentication is switched off; you would noramally tie this to a captive portal and have portal do authentication On the other hand, NAS doesn't care what EAP type is supplicant using (certificates or user/pass). In short, you can't do EAP, not require machine certificates *and* not do mac authentication. One of these will have to give. What you don't seem to comprehend is that machines and people are two completely separate things for NAS. It doesn't know who is using which machine and it doesn't care. Neither does radius. If you do care, you will have to create the link (by checking Calling-Station-Id). You could probably get away with not performing mac auth (ie. not storing any mac addresses). But considering that you need them for Calling-Station-Id checks ... why? Do you really want unauthenticated machines bombarding your radius server with pointless requests once a second (there is a 1 second delay on Access-Rejects in freeradius)?
If that is the case I think I might want to set up a second instance of Freeradius and point the NAS that don't require host certs at that one. I could simply mint another virtual freeradius instance in freeradius/sites-enabled couldn't I?
No, all these policies can be implemented on the same server. With right huntgroup/Ldap-Group combinations. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ivan Kalik -
john