I want to use freeRADIUS for a global MAC authentification but I cannot find any tutorials for that. What must I do realize it? Thanks in advance. Best regards, F. Niedernolte
Frederik.Niedernolte@Bertelsmann.de wrote:
I want to use freeRADIUS for a global MAC authentification but I cannot find any tutorials for that.
You just need to authenticate based on the User-Name and/or the password. There's nothing magic about MAC authentication. You're just calling the User-Name a "MAC" rather than a "name of a real person". Alan DeKok.
So a simple entry like User42 MAC := "02:01:02:03:04:05" in the users file would be enough!? -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 22. Oktober 2008 10:22 An: FreeRadius users mailing list Betreff: Re: MAC authentification Frederik.Niedernolte@Bertelsmann.de wrote:
I want to use freeRADIUS for a global MAC authentification but I cannot find any tutorials for that.
You just need to authenticate based on the User-Name and/or the password. There's nothing magic about MAC authentication. You're just calling the User-Name a "MAC" rather than a "name of a real person". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am Mittwoch, 22. Oktober 2008 10:41 schrieb Frederik.Niedernolte@bertelsmann.de:
So a simple entry like
User42 MAC := "02:01:02:03:04:05"
in the users file would be enough!?
It depends in which format your NAS sends the MAC address. Somtimes FR get something like 00-01-02-03-04-05 Please FR with option -X to see, what your NAS (Switch) sends. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
OK, but the initial idea behind this is correct (without the MAC address syntax), isn't it? F. Niedernolte -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Michael Schwartzkopff Gesendet: Mittwoch, 22. Oktober 2008 10:54 An: FreeRadius users mailing list Betreff: Re: AW: MAC authentification Am Mittwoch, 22. Oktober 2008 10:41 schrieb Frederik.Niedernolte@bertelsmann.de:
So a simple entry like
User42 MAC := "02:01:02:03:04:05"
in the users file would be enough!?
It depends in which format your NAS sends the MAC address. Somtimes FR get something like 00-01-02-03-04-05 Please FR with option -X to see, what your NAS (Switch) sends. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If you want to limit user access on specific MAC address use Calling-Station-Id attribute in radcheck table Or if you want to MAC address represent one user, add MAC address in radcheck table as a UserName and set User-Password to blank. On Wed, Oct 22, 2008 at 10:58 AM, <Frederik.Niedernolte@bertelsmann.de>wrote:
OK, but the initial idea behind this is correct (without the MAC address syntax), isn't it?
F. Niedernolte
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] Im Auftrag von Michael Schwartzkopff Gesendet: Mittwoch, 22. Oktober 2008 10:54 An: FreeRadius users mailing list Betreff: Re: AW: MAC authentification
Am Mittwoch, 22. Oktober 2008 10:41 schrieb Frederik.Niedernolte@bertelsmann.de:
So a simple entry like
User42 MAC := "02:01:02:03:04:05"
in the users file would be enough!?
It depends in which format your NAS sends the MAC address. Somtimes FR get something like 00-01-02-03-04-05
Please FR with option -X to see, what your NAS (Switch) sends.
Greetings,
-- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75
mail: misch@multinet.de web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sort of. Entry can look like: ma:ca:dd:re:ss:xx Auth-Type := Accept No user42 - mac address will be coming as username regardless of who is using the machine. mac authentication authenticates the machine not the user. Ivan Kalik Kalik Informatika ISP Dana 22/10/2008, "Frederik.Niedernolte@bertelsmann.de" <Frederik.Niedernolte@bertelsmann.de> piše:
OK, but the initial idea behind this is correct (without the MAC address syntax), isn't it?
F. Niedernolte
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Michael Schwartzkopff Gesendet: Mittwoch, 22. Oktober 2008 10:54 An: FreeRadius users mailing list Betreff: Re: AW: MAC authentification
Am Mittwoch, 22. Oktober 2008 10:41 schrieb Frederik.Niedernolte@bertelsmann.de:
So a simple entry like
User42 MAC := "02:01:02:03:04:05"
in the users file would be enough!?
It depends in which format your NAS sends the MAC address. Somtimes FR get something like 00-01-02-03-04-05
Please FR with option -X to see, what your NAS (Switch) sends.
Greetings,
-- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75
mail: misch@multinet.de web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Frederik.Niedernolte@Bertelsmann.de wrote:
So a simple entry like
User42 MAC := "02:01:02:03:04:05"
in the users file would be enough!?
No. I mentioned the "User-Name" attribute, not the "MAC" attribute. Do you see the "MAC" attribute in the RADIUS packet? Does reading the "man" page for the "users" file lead you to believe that an entry like above will do *anything*? What I said was this: "MAC authentication" is nearly always just normal username/password authentication. If you can configure username/password authentication, you can configure MAC authentication. Just give the "users" names that match the MAC addresses in the Access-Request, and be sure that the "passwords" match the User-Password field in the Access-Request. It would help to *look* at an Access-Request for MAC authentication, and forget that it's something magic called "MAC authentication". Instead, figure out how you would get this user authenticated in normal user authentication. Alan DeKok.
Isn't it possible without a password? In the current situation I only add a MAC address to an access point and the client can connect to it. Because of many access points this task should be done by the RADIUS-server for all access points. So every access point should forward the authentification request from the client to the RADIUS-server. This server should check if the clients MAC address is allowed and then send back the result to the access point. F. Niedernolte -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 22. Oktober 2008 10:56 An: FreeRadius users mailing list Betreff: Re: AW: MAC authentification Frederik.Niedernolte@Bertelsmann.de wrote:
So a simple entry like
User42 MAC := "02:01:02:03:04:05"
in the users file would be enough!?
No. I mentioned the "User-Name" attribute, not the "MAC" attribute. Do you see the "MAC" attribute in the RADIUS packet? Does reading the "man" page for the "users" file lead you to believe that an entry like above will do *anything*? What I said was this: "MAC authentication" is nearly always just normal username/password authentication. If you can configure username/password authentication, you can configure MAC authentication. Just give the "users" names that match the MAC addresses in the Access-Request, and be sure that the "passwords" match the User-Password field in the Access-Request. It would help to *look* at an Access-Request for MAC authentication, and forget that it's something magic called "MAC authentication". Instead, figure out how you would get this user authenticated in normal user authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Frederik.Niedernolte@Bertelsmann.de wrote:
Isn't it possible without a password?
Look at the debug output to see what the NAS is sending you. *I* don't have access to your NAS.
In the current situation I only add a MAC address to an access point and the client can connect to it. Because of many access points this task should be done by the RADIUS-server for all access points. So every access point should forward the authentification request from the client to the RADIUS-server. This server should check if the clients MAC address is allowed and then send back the result to the access point.
Yes... this isn't the first time we've seen requests for MAC authentication. We know how it works. We *don't* know exactly what your NAS puts in the packets. That's why we suggest debugging mode. Alan DeKok.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The scheme used almost universally for Mac-Based authentication is User-Name == Calling-Station-ID, unfortunately the format of the two mac addresses often differ. Here are the examples from our configuration to perform mac-based authorisation. - --- authorize { # Rewrite called station id attributes into a standard format. if("%{Calling-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}" } } if("%{User-Name}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}" } } if("%{User-Name}" =~ /^%{Calling-Station-Id}$/i){ update control { Autz-Type = 'mac-based' } } # Authorisation based on mac address Autz-Type mac-based { # This is where you do your authorisation checks update control { Auth-Type := 'Accept' } } } - --- No you don't need passwords, you force the server to send an Access-Accept or Access-Reject packet based on your authorisation policies for certain Mac-Addresses. Thanks, Arran - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj/Cq4ACgkQcaklux5oVKL03ACeNVBkJOkyrnhNtjD+W23Mp8YX 78cAnRgNFEfsewQgPl9WaAO3fQ9btzym =dPsK -----END PGP SIGNATURE-----
I'm slightly curoous here. What happens when Script Kiddie then spoofs an appropriate MAC address? You have other mitigating measures in place? Sent from my iPhone On 22 Oct 2008, at 12:12, Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk
wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
The scheme used almost universally for Mac-Based authentication is User-Name == Calling-Station-ID, unfortunately the format of the two mac addresses often differ.
Here are the examples from our configuration to perform mac-based authorisation. - --- authorize {
# Rewrite called station id attributes into a standard format. if("%{Calling-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f] {2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}" } }
if("%{User-Name}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f] {2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}" } }
if("%{User-Name}" =~ /^%{Calling-Station-Id}$/i){ update control { Autz-Type = 'mac-based' } }
# Authorisation based on mac address Autz-Type mac-based { # This is where you do your authorisation checks update control { Auth-Type := 'Accept' } }
}
- ---
No you don't need passwords, you force the server to send an Access-Accept or Access-Reject packet based on your authorisation policies for certain Mac-Addresses.
Thanks, Arran
- -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj/Cq4ACgkQcaklux5oVKL03ACeNVBkJOkyrnhNtjD+W23Mp8YX 78cAnRgNFEfsewQgPl9WaAO3fQ9btzym =dPsK -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Anders Holm wrote:
I'm slightly curoous here. What happens when Script Kiddie then spoofs an appropriate MAC address? You have other mitigating measures in place?
MAC auth just checks the MAC. If someone spoofs their MAC, they can circumvent security. MAC auth is not secure in the face of determined attack. 802.1x is needed for "real" security.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anders Holm wrote:
I'm slightly curoous here. What happens when Script Kiddie then spoofs an appropriate MAC address? You have other mitigating measures in place?
There's nothing you can do, but then Mac-Based authentication should only ever be used to gain access to sensitive networks, that's why you have 802.1X authentication. The ideal situation is to have a NAS that supports both on it's wired ports, with a catch at the bottom. So in order of authorisational priority 1. 802.1X 2. Mac-Authentication/ Web-Auth 3. Unauthorised/ port closed So initially the device starts in the unauthorised state, if Mac-Based auth succeeds the port will change to reflect the PVID or any other parameters given in the Mac-Based/Web-Auth access accept, if not then the client remains in the unauthorised state. If at any point the client completes 802.1X authentication then the port will change to reflect the parameters given in the 802.1X Access-Accept, and any other sessions will be closed. If the client receives an EAPOL-Logoff, then the client returns to the unauthorised state, and the switch will start Mac-Based authentication again. In all cases the client physically disconnecting from the switch returns the port to the unauthorised/closed state. At least that's how it works in theory, there's no standard defining the interactions, it's very much dependent on the switch vendor. HP ProCurve switches as of 2600 series implement the behaviour described above. I believe Cisco do too, though Ciscos is more broken... Regards, Arran
Sent from my iPhone
On 22 Oct 2008, at 12:12, Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> wrote:
Hi,
The scheme used almost universally for Mac-Based authentication is User-Name == Calling-Station-ID, unfortunately the format of the two mac addresses often differ.
Here are the examples from our configuration to perform mac-based authorisation. --- authorize {
# Rewrite called station id attributes into a standard format. if("%{Calling-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request { Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}" } }
if("%{User-Name}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request { User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}" } }
if("%{User-Name}" =~ /^%{Calling-Station-Id}$/i){ update control { Autz-Type = 'mac-based' } }
# Authorisation based on mac address Autz-Type mac-based { # This is where you do your authorisation checks update control { Auth-Type := 'Accept' } }
}
---
No you don't need passwords, you force the server to send an Access-Accept or Access-Reject packet based on your authorisation policies for certain Mac-Addresses.
Thanks, Arran
- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj/UB4ACgkQcaklux5oVKIYLwCfV8VSEIW1OxjD6bLM/BJUBxxG 0l4AoI5MPjdsQjL++RRk0UqKtdbm50No =ATo4 -----END PGP SIGNATURE-----
participants (8)
-
Alan DeKok -
Anders Holm -
Arran Cudbard-Bell -
Frederik.Niedernolte@Bertelsmann.de -
Marinko Tarlac -
Michael Schwartzkopff -
Phil Mayers -
tnt@kalik.net