Hi, we're just implementing port security with freeradius 1.1.6. For our XP-Boxes we'll use the built in 802.1x-supplicant. But there are some dumb thinclients without any supplicants available. Fortunately, we're able to modify the User Class option (option 77) within the dhcp-request of these thinclients. So, we're trying to authenticate the clients by using the modified dhcp-request. Do you have an idea how we can use this modified dhcp-request to authenticate angainst our radius server? Or any other idea? Kind regards, Thorsten -- Thorsten Leiser IT-Systembetreuung SYNCHRON Gesellschaft für betriebswirtschaftliche Beratung und Informationssysteme mbH Liebknechtstr. 50 70565 Stuttgart-Vaihingen Fon: 0711/7868-356 Fax: 0711/7868-446 www.synchron-is.de Sitz der Gesellschaft: Stuttgart Registergericht: Amtsgericht Stuttgart, HRB 8619 GF: Michael Schober - - - - - - - - - Diese E-Mail beinhaltet vertrauliche und/oder rechtlich geschuetzte Daten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged data. If you are not the intended recipient or have received this e-mail in error, please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the content in this e-mail is strictly forbidden.
Thorsten Leiser wrote:
we're just implementing port security with freeradius 1.1.6. For our XP-Boxes we'll use the built in 802.1x-supplicant. But there are some dumb thinclients without any supplicants available. Fortunately, we're able to modify the User Class option (option 77) within the dhcp-request of these thinclients. So, we're trying to authenticate the clients by using the modified dhcp-request.
That requires modified clients, and DHCP servers. A better approach is to look for something like MAC authentication Bypass in Cisco switches. If the client doesn't do 802.1x within a certain time, the switch sends a RADIUS request containing the MAC address.
Do you have an idea how we can use this modified dhcp-request to authenticate angainst our radius server? Or any other idea?
Modifying DHCP isn't a good idea. Alan DeKok.
Hi Alan,
A better approach is to look for something like MAC authentication Bypass in Cisco switches. If the client doesn't do 802.1x within a certain time, the switch sends a RADIUS request containing the MAC address.
We have more than 200 ThinClients. I'm afraid, this would be unmanagable. If a Client dies and e.g. a fellow forgets to unregister the MAC-Address, the MAC-Address table of the radius server would be very messy after a few months. Do you know a solution, in which this "MAC"-Clients could be foolproof managed? Regards Thorsten "Alan DeKok" <aland@deployingradius.com> schrieb:
Thorsten Leiser wrote:
we're just implementing port security with freeradius 1.1.6. For our XP-Boxes we'll use the built in 802.1x-supplicant. But there are some dumb thinclients without any supplicants available. Fortunately, we're able to modify the User Class option (option 77) within the dhcp-request of these thinclients. So, we're trying to authenticate the clients by using the modified dhcp-request.
That requires modified clients, and DHCP servers.
A better approach is to look for something like MAC authentication Bypass in Cisco switches. If the client doesn't do 802.1x within a certain time, the switch sends a RADIUS request containing the MAC address.
Do you have an idea how we can use this modified dhcp-request to authenticate angainst our radius server? Or any other idea?
Modifying DHCP isn't a good idea.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Thorsten Leiser IT-Systembetreuung SYNCHRON Gesellschaft für betriebswirtschaftliche Beratung und Informationssysteme mbH Liebknechtstr. 50 70565 Stuttgart-Vaihingen Fon: 0711/7868-356 Fax: 0711/7868-446 www.synchron-is.de Sitz der Gesellschaft: Stuttgart Registergericht: Amtsgericht Stuttgart, HRB 8619 GF: Michael Schober - - - - - - - - - Diese E-Mail beinhaltet vertrauliche und/oder rechtlich geschuetzte Daten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged data. If you are not the intended recipient or have received this e-mail in error, please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the content in this e-mail is strictly forbidden.
Thorsten Leiser wrote:
We have more than 200 ThinClients. I'm afraid, this would be unmanagable. If a Client dies and e.g. a fellow forgets to unregister the MAC-Address, the MAC-Address table of the radius server would be very messy after a few months.
Huh? What do you mean by that? If you don't have Cisco switches, this discussion is pointless. If you do have Cisco switches, they will authenticate the MAC address as a known device. This is no different than authenticating the user/password as a known user. I have no idea what you mean by "unregister MAC address". There is no unregistering process needed, and I didn't talk about one. I have no idea what you mean by the "MAC address table getting messy". I made no mention of a MAC address table. I made no mention of updates to a MAC address table. You seem to have assumed a LOT about how MAC authentication bypass works. Forget all of those assumptions. They're wrong. MAC authentication just works by authenticating the MAC address. Just like users. Do normal users have to unregister? Does the user/password table get "messy" after people authenticate? No. Alan DeKok.
Hi! I couldn't find anything like this in Wiki or FAQ, so I'm asking here. Is there any example for using freeRADIUS and authenticate by MAC address?
MAC authentication = MAC address sent as username MACaddress Auth-Type:= Accept Ivan Kalik Kalik Informatika ISP Dana 24/11/2007, "Bernd" <s4ndm4n@gmx.de> piše:
Hi!
I couldn't find anything like this in Wiki or FAQ, so I'm asking here.
Is there any example for using freeRADIUS and authenticate by MAC address?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have a MySQL database to do it. I set the MACadress as "UserName", "op" should be :=. What do I have to do with "Value" and "Attribute"? And are there any further settings to do in a conf. file? Bernd -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] Im Auftrag von tnt@kalik.co.yu Gesendet: Samstag, 24. November 2007 11:52 An: FreeRadius users mailing list Betreff: Re: Authenticate by MAC address MAC authentication = MAC address sent as username MACaddress Auth-Type:= Accept Ivan Kalik Kalik Informatika ISP Dana 24/11/2007, "Bernd" <s4ndm4n@gmx.de> piše:
Hi!
I couldn't find anything like this in Wiki or FAQ, so I'm asking here.
Is there any example for using freeRADIUS and authenticate by MAC address?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bernd wrote:
I have a MySQL database to do it. I set the MACadress as "UserName", "op" should be :=. What do I have to do with "Value" and "Attribute"?
You have mixed that up. The MySQL schema attempts to mirror the "users" file. So see "man users", and the "users" file for examples of what to do. See also doc/rlm_sql
And are there any further settings to do in a conf. file?
To do what? Alan DeKok.
To do authentication by MAC-address. Maybe some settings in radiusd.conf or smth another conf. file. I can hardly believe it's just typing the MAC-adress into the database and it works? -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+s4ndm4n=gmx.de@lists.freeradius.org [mailto:freeradius-users-bounces+s4ndm4n=gmx.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 5. Dezember 2007 11:24 An: FreeRadius users mailing list Betreff: Re: AW: Authenticate by MAC address Bernd wrote:
I have a MySQL database to do it. I set the MACadress as "UserName", "op" should be :=. What do I have to do with "Value" and "Attribute"?
You have mixed that up. The MySQL schema attempts to mirror the "users" file. So see "man users", and the "users" file for examples of what to do. See also doc/rlm_sql
And are there any further settings to do in a conf. file?
To do what? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i don't use a database, but for the normal flat textfile you set the mac address as username and as password. The switch(i have procurves) sends the macadress as both username and password to the radius server. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 "The question of whether a computer can think is no more interesting than the question of whether a submarine can swim." -- E. W. Dijkstra "Bernd" <s4ndm4n@gmx.de> Sent by: freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org 05-12-07 11:53 Please respond to FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To "'FreeRadius users mailing list'" <freeradius-users@lists.freeradius.org> cc Subject AW: AW: Authenticate by MAC address To do authentication by MAC-address. Maybe some settings in radiusd.conf or smth another conf. file. I can hardly believe it's just typing the MAC-adress into the database and it works? -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+s4ndm4n=gmx.de@lists.freeradius.org [mailto:freeradius-users-bounces+s4ndm4n=gmx.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 5. Dezember 2007 11:24 An: FreeRadius users mailing list Betreff: Re: AW: Authenticate by MAC address Bernd wrote:
I have a MySQL database to do it. I set the MACadress as "UserName", "op" should be :=. What do I have to do with "Value" and "Attribute"?
You have mixed that up. The MySQL schema attempts to mirror the "users" file. So see "man users", and the "users" file for examples of what to do. See also doc/rlm_sql
And are there any further settings to do in a conf. file?
To do what? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding." "Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande."
That's it. Simple and unsecure. Ivan Kalik Kalik Informatika ISP Dana 5/12/2007, "Bernd" <s4ndm4n@gmx.de> piše:
To do authentication by MAC-address. Maybe some settings in radiusd.conf or smth another conf. file. I can hardly believe it's just typing the MAC-adress into the database and it works?
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+s4ndm4n=gmx.de@lists.freeradius.org [mailto:freeradius-users-bounces+s4ndm4n=gmx.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 5. Dezember 2007 11:24 An: FreeRadius users mailing list Betreff: Re: AW: Authenticate by MAC address
Bernd wrote:
I have a MySQL database to do it. I set the MACadress as "UserName", "op" should be :=. What do I have to do with "Value" and "Attribute"?
You have mixed that up. The MySQL schema attempts to mirror the "users" file. So see "man users", and the "users" file for examples of what to do.
See also doc/rlm_sql
And are there any further settings to do in a conf. file?
To do what?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Bernd -
Stieven.Struyf@komatsu.eu -
Thorsten Leiser -
tnt@kalik.co.yu