How to grant some (!) devices access to network but all others have to provide passwords
Hi, all! I'm pretty sure this is a very basic question which might have been discussed in the past already. But I'm new in this area so you might apologize this silly question.... In a school all devices (students laptops, mobiles, tablets) have to use username/password via Freeradius to get access to WLAN. But there are some well-defined school-owned devices (laptops, tablets) which should connect to WLAN immediately w/o any credentials. Which options do I have to realize that? MAC checks? Certificates? Thanks for your help Uwe
On Dec 22, 2019, at 6:18 AM, uj2.hahn@posteo.de wrote:
In a school all devices (students laptops, mobiles, tablets) have to use username/password via Freeradius to get access to WLAN. But there are some well-defined school-owned devices (laptops, tablets) which should connect to WLAN immediately w/o any credentials. Which options do I have to realize that? MAC checks? Certificates?
If the WiFi is using EAP / 802.1X, then you must use 802.1X for *all* devices. For school-owned devices, the best way to do this is via certificates. It's (somewhat) difficult to copy the certificate to another machine. If the device is stolen, you can just revoke the certificate. Alan DeKok.
Thanks, Alan! I generated brand new certificates and installed them on one Android tablet. But now I'm not sure what the expected use model is: Can I connect immediately without any credentials or do I have to provide a valid user/passwd once and it will be saved forever? When I try to connect I see the WLAN credential form again (although it looks different than before). So I have to enter some valid credential. Then it is saved. Is this the expected behavior? What is the expected message in the debug logfile saying everything is fine with the certificates? Thanks Uwe On 22.12.2019 15:47, Alan DeKok wrote:
On Dec 22, 2019, at 6:18 AM, uj2.hahn@posteo.de wrote:
In a school all devices (students laptops, mobiles, tablets) have to use username/password via Freeradius to get access to WLAN. But there are some well-defined school-owned devices (laptops, tablets) which should connect to WLAN immediately w/o any credentials. Which options do I have to realize that? MAC checks? Certificates? If the WiFi is using EAP / 802.1X, then you must use 802.1X for *all* devices.
For school-owned devices, the best way to do this is via certificates. It's (somewhat) difficult to copy the certificate to another machine. If the device is stolen, you can just revoke the certificate.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 23, 2019, at 12:12 PM, uj2.hahn@posteo.de wrote:
Thanks, Alan! I generated brand new certificates and installed them on one Android tablet.
That's good...
But now I'm not sure what the expected use model is: Can I connect immediately without any credentials or do I have to provide a valid user/passwd once and it will be saved forever?
If you use EAP-TLS, it shouldn't need a password. But in the end, this question is for the end user device, not for FreeRADIUS.
When I try to connect I see the WLAN credential form again (although it looks different than before). So I have to enter some valid credential. Then it is saved. Is this the expected behavior?
Ask the device manufacturer how their systems work. We didn't implement the UI on the android tablet, and we know nothing about it.
What is the expected message in the debug logfile saying everything is fine with the certificates?
The server sends an Access-Accept. If something goes wrong the error messages are large and descriptive. Alan DeKok.
Hi, if you are fine with EAP-TTLS then well and good else you can follow the below You need to understand the basic like why you are getting prompt to enter credentials and what happens inside when you enter correct credentials. please read about session-timeout and mac auth ( mixed with 802.1x ) authorize { preprocess # always check against the authorized_macs file first authorized_macs if (!ok) { # Reject if the MAC address was not permitted. reject } # If this is NOT 802.1x, mac-auth if (!EAP-Message) { # MAC address has already been checked, so accept update control { Auth-Type := Accept } } else { # Normal FreeRADIUS virtual server config goes here e.g. eap } } Session timeout can be configured on the RADIUS server so that each client can have a different timeout value. The Session-Timeout attribute as defined in RFC 2865 is included in the Access-Accept message, and sets the maximum number of seconds of service to be provided to the user before termination of the session. On Tue, Dec 24, 2019, 1:05 AM Alan DeKok <aland@deployingradius.com> wrote:
On Dec 23, 2019, at 12:12 PM, uj2.hahn@posteo.de wrote:
Thanks, Alan! I generated brand new certificates and installed them on one Android
tablet.
That's good...
But now I'm not sure what the expected use model is: Can I connect immediately without any credentials or do I have to provide a valid user/passwd once and it will be saved forever?
If you use EAP-TLS, it shouldn't need a password.
But in the end, this question is for the end user device, not for FreeRADIUS.
When I try to connect I see the WLAN credential form again (although it looks different than before). So I have to enter some valid credential. Then it is saved. Is this the expected behavior?
Ask the device manufacturer how their systems work. We didn't implement the UI on the android tablet, and we know nothing about it.
What is the expected message in the debug logfile saying everything is fine with the certificates?
The server sends an Access-Accept.
If something goes wrong the error messages are large and descriptive.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks to all for help.
For now I'm fine. I might come back to this discussion when I rolled out
the solution into production.
Thanks
Uwe
On 26.12.2019 15:02, arjun sharma wrote:
> Hi,
>
> if you are fine with EAP-TTLS then well and good else you can follow the
> below
>
> You need to understand the basic like why you are getting prompt to enter
> credentials and what happens inside when you enter correct credentials.
>
> please read about session-timeout and mac auth ( mixed with 802.1x )
>
> authorize {
> preprocess
> # always check against the authorized_macs file first
> authorized_macs
>
> if (!ok) {
> # Reject if the MAC address was not permitted.
> reject
> }
>
> # If this is NOT 802.1x, mac-auth
> if (!EAP-Message) {
> # MAC address has already been checked, so accept
> update control {
> Auth-Type := Accept
> }
> }
> else {
> # Normal FreeRADIUS virtual server config goes here e.g.
> eap
> }
> }
>
> Session timeout can be configured on the RADIUS server so that each client
> can have a different timeout value. The Session-Timeout attribute as
> defined in RFC 2865 is included in the Access-Accept message, and sets the
> maximum number of seconds of service to be provided to the user before
> termination of the session.
>
>
>
> On Tue, Dec 24, 2019, 1:05 AM Alan DeKok <aland@deployingradius.com> wrote:
>
>> On Dec 23, 2019, at 12:12 PM, uj2.hahn@posteo.de wrote:
>>> Thanks, Alan!
>>> I generated brand new certificates and installed them on one Android
>> tablet.
>>
>> That's good...
>>
>>> But now I'm not sure what the expected use model is:
>>> Can I connect immediately without any credentials or do I have to
>> provide a valid user/passwd once
>>> and it will be saved forever?
>> If you use EAP-TLS, it shouldn't need a password.
>>
>> But in the end, this question is for the end user device, not for
>> FreeRADIUS.
>>
>>> When I try to connect I see the WLAN credential form again (although it
>> looks different than before).
>>> So I have to enter some valid credential. Then it is saved. Is this the
>> expected behavior?
>>
>> Ask the device manufacturer how their systems work. We didn't implement
>> the UI on the android tablet, and we know nothing about it.
>>
>>> What is the expected message in the debug logfile saying everything is
>> fine with the certificates?
>>
>> The server sends an Access-Accept.
>>
>> If something goes wrong the error messages are large and descriptive.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
arjun sharma -
uj2.hahn@posteo.de