Verify certificate <-> mac mapping in openldap..
so I've done some research, looking at how freeradius works now, it manages to identify hostnames from certificates which are issued to a given host, blah blah blah. suffice it to say when "lain" authenticates, it knows it's lain. I want to make sure that lain's MAC address matches what I know lain's mac address to be. more importantly, if lain's mac address isn't known, I'd like it to log the mac address (which it does now already) and NOT give an error. Also, I'd like to be able to shove hosts into groups, such as "disabled". I need advice on just what information needs to be stored in openldap, and just which changes need to be made to freeradius. I've done a little independent research, and I think I can use a definition for a host as a "device" with a cn, and an "ieee802Device" with a mac address. I can create a group of unique names, or is there some other mechanism I have to use for groups to work with freeradius? will this scheme work with freeradius? is there some better, more established standard to store this mapping of hostname from certificate to mac address? and last, but not least, what do I have to do to make sure that an absence of mac address doesn't trigger a failure, but the presence of a wrong mac address does?
Christ Schlacta wrote:
so I've done some research, looking at how freeradius works now, it manages to identify hostnames from certificates which are issued to a given host, blah blah blah. suffice it to say when "lain" authenticates, it knows it's lain. I want to make sure that lain's MAC address matches what I know lain's mac address to be. more importantly, if lain's mac address isn't known, I'd like it to log the mac address (which it does now already) and NOT give an error. Also, I'd like to be able to shove hosts into groups, such as "disabled".
That can be done.
I need advice on just what information needs to be stored in openldap,
MAC addresses?
and just which changes need to be made to freeradius.
You need to write down the exact set of steps required to implement the above policy. What is in a packet? How is that information used? Where are the known MAC addresses? Where are the groups stored? What information is used to look up the groups? The overwhelming majority of issues people see when creating policies are due to poor specifications. The more detailed the specification, the more successful you will be.
I've done a little independent research, and I think I can use a definition for a host as a "device" with a cn, and an "ieee802Device" with a mac address. I can create a group of unique names, or is there some other mechanism I have to use for groups to work with freeradius?
See the rlm_ldap documentation for how it handles groups. They're usually based on User-Names. If you want a *different* kind of grouping, you'll have to create it yourself.
will this scheme work with freeradius? is there some better, more established standard to store this mapping of hostname from certificate to mac address?
Databases. SQL, LDAP, whatever. This isn't a RADIUS issue: Q: given X, how do I look up Y? A: put X and Y into a DB, and write a DB query to use X to look up Y.
and last, but not least, what do I have to do to make sure that an absence of mac address doesn't trigger a failure, but the presence of a wrong mac address does?
Write the policy for that. The MAC address is stored in the Calling-Station-Id attribute. So... "if the Calling-Station-Id exists, do MAC lookups. Otherwise, don't" Alan DeKok.
I read most of what you said, and spend a few hours with the wifi "down for maintenance" while noone was on, and got it working. it now authenticates macAddress == Calling-Station-ID when the mac is available, and doesn't fail when it's not available, and works when it is available. There's only one thing I didn't think of that needs changing: I want to be able to also say "If there's no rdn for this hostname (IE: user isn't found at all in the directory) then the auth should fail. there's no one entry that's guaranteed to exist though. host, description, macAddress, and owner are all common, but every device is missing one or more of them :( I can't think of any other way to ensure that a user is found On 12/21/2010 01:37, Alan DeKok wrote:
Christ Schlacta wrote:
so I've done some research, looking at how freeradius works now, it manages to identify hostnames from certificates which are issued to a given host, blah blah blah. suffice it to say when "lain" authenticates, it knows it's lain. I want to make sure that lain's MAC address matches what I know lain's mac address to be. more importantly, if lain's mac address isn't known, I'd like it to log the mac address (which it does now already) and NOT give an error. Also, I'd like to be able to shove hosts into groups, such as "disabled". That can be done.
I need advice on just what information needs to be stored in openldap, MAC addresses?
and just which changes need to be made to freeradius. You need to write down the exact set of steps required to implement the above policy. What is in a packet? How is that information used? Where are the known MAC addresses? Where are the groups stored? What information is used to look up the groups?
The overwhelming majority of issues people see when creating policies are due to poor specifications. The more detailed the specification, the more successful you will be.
I've done a little independent research, and I think I can use a definition for a host as a "device" with a cn, and an "ieee802Device" with a mac address. I can create a group of unique names, or is there some other mechanism I have to use for groups to work with freeradius? See the rlm_ldap documentation for how it handles groups. They're usually based on User-Names.
If you want a *different* kind of grouping, you'll have to create it yourself.
will this scheme work with freeradius? is there some better, more established standard to store this mapping of hostname from certificate to mac address? Databases. SQL, LDAP, whatever. This isn't a RADIUS issue:
Q: given X, how do I look up Y? A: put X and Y into a DB, and write a DB query to use X to look up Y.
and last, but not least, what do I have to do to make sure that an absence of mac address doesn't trigger a failure, but the presence of a wrong mac address does? Write the policy for that. The MAC address is stored in the Calling-Station-Id attribute. So... "if the Calling-Station-Id exists, do MAC lookups. Otherwise, don't"
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry for the late reply, if you wantmore details, do contact me offline. Christ Schlacta <lists@aarcane.org> wrote:
I've done a little independent research, and I think I can use a definition for a host as a "device" with a cn, and an "ieee802Device" with a mac address. I can create a group of unique names, or is there some other mechanism I have to use for groups to work with freeradius? will this scheme work with freeradius? is there some better, more established standard to store this mapping of hostname from certificate to mac address?
I started off down that route, then noticed rolling dNSZone[1] and dhcpService[2] would make things a lot nicer for us. I created my own objectClass (it only took a week for us to register[3] for our own enterprise number) and borged other handy objectClass's and hocked together something I call LanWarden. Our LDAP objects look like: ---- cn=001122334455,ou=soas-reg,ou=Hosts,ou=LanWarden,o=soas lanwardenHostState: enable lanwardenHostNotes: 20100614081331Z - general - registered via LWadd lanwardenHostRegisteredTC: SOAS lanwardenHostRegisteredTC: JANET lanwardenHostRegisteredTime: 20100614081331Z lanwardenHostRegisteredBy: cn=ac56,ou=Staff,ou=Active,ou=Accounts,o=soas dhcpHWAddress: ethernet 00:11:22:33:44:55 lanwardenHostAuthenticateMethod: mac <----- PERMIT MAC-AUTH serialNumber: 1234 owner: cn=Helpdesk,ou=Staff,ou=Active,ou=Accounts,o=soas o: soas.ac.uk objectClass: Top objectClass: dhcpHost objectClass: Device objectClass: lanwardenHost cn: 001122334455 cn=users-staff,ou=Networks,ou=LanWarden,o=soas o: soas ou: 76 objectClass: Top objectClass: dhcpService objectClass: lanwardenNetwork member: cn=001122334455,ou=soas-reg,ou=Hosts,ou=LanWarden,o=soas member: ... cn: users-staff <----- VLAN ID ----
and last, but not least, what do I have to do to make sure that an absence of mac address doesn't trigger a failure, but the presence of a wrong mac address does?
I default to a particular 'quarantine' VLAN and have a group membership lookup amend the VLAN to it's final resting place. If there is no group match (as the user does not exist), they stay in the 'unauthorised' VLAN. ---- post-auth { ... # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised" Termination-Action := RADIUS-Request # Cisco only support a max of 65535 Session-Timeout := 64800 Acct-Interim-Interval := 3600 } if ((EAP-Message) && !(Ldap-UserDn)) { cache_ldap-userdn } lanwarden_vlan if (!(control:Tunnel-Private-Group-Id) || control:Tunnel-Private-Group-Id == "") { if (Realm == "DEFAULT") { update reply { Tunnel-Private-Group-Id := "eduroam" } } # to be removed once we register personal workstations elsif (Realm == "%{config:local.MY.realm}") { update reply { Tunnel-Private-Group-Id := "users-unmanaged" } } } elsif (!ok) { update reply { Reply-Message := "LW: failed lanwardenNetwork" } reject } # here 'Tunnel-Private-Group-Id' is possibly different # from it's default ... } ---- Unfortunately there is a lot of complexity in the policy.conf defined 'lanwarden_vlan' and the unlang bit trailing it as FreeRADIUS does not support xlat with virtual failover modules. Cheers [1] http://bind9-ldap.bayour.com/ [2] https://github.com/dcantrell/ldap-for-dhcp/wiki [3] http://pen.iana.org/pen/PenApplication.page -- Alexander Clouter .sigmonster says: Default, n.: The hardware's, of course.
participants (3)
-
Alan DeKok -
Alexander Clouter -
Christ Schlacta