Hi! im currently running eap-tls with username and password (from ldap), but now we're having a bunch of "stupid" wlan-client machines, and we need an simple mac-auth (from ldap?) to the network. basic idea: (example from outside world) "so, no certificate and login credentials, cant let you in. but im on an vip-list!. Oh, i see, come on in, sorry for inconvenience", for now we are happy to get just that to work, next level would be something concerning vlans... i think (in the long run) we don't want to have too much accessibility in those stupid machines. poorly explained, not enough coffee in veins yet... thanks in advance
Mikko Husari wrote:
Hi!
im currently running eap-tls with username and password (from ldap), but now we're having a bunch of "stupid" wlan-client machines, and we need an simple mac-auth (from ldap?) to the network. basic idea: (example from outside world) "so, no certificate and login credentials, cant let you in. but im on an vip-list!. Oh, i see, come on in, sorry for inconvenience", for now we are happy to get just that to work, next
Most APs will require a separate SSID for this I think - your MAC-auth one will need to be unauthenticated and the 802.1x one WPA (or whatever) and the beacon frames will reflect that. Having said that, assuming your AP can authenticate the MACs against radius (many can - Ciscos can) then FreeRadius can do it fine, it's very simple. Do you have a specific question?
level would be something concerning vlans... i think (in the long run)
Again, provided the AP supports it, easy.
Phil Mayers wrote:
Mikko Husari wrote:
Hi!
im currently running eap-tls with username and password (from ldap), but now we're having a bunch of "stupid" wlan-client machines, and we need an simple mac-auth (from ldap?) to the network. basic idea: (example from outside world) "so, no certificate and login credentials, cant let you in. but im on an vip-list!. Oh, i see, come on in, sorry for inconvenience", for now we are happy to get just that to work, next
Most APs will require a separate SSID for this I think - your MAC-auth one will need to be unauthenticated and the 802.1x one WPA (or whatever) and the beacon frames will reflect that.
Having said that, assuming your AP can authenticate the MACs against radius (many can - Ciscos can) then FreeRadius can do it fine, it's very simple. Do you have a specific question?
level would be something concerning vlans... i think (in the long run)
Again, provided the AP supports it, easy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
well, im not so sure the ap-supports mac-auth using radius... it is zyxel zyair g-1000, manual did not say anything about radius+mac, other sort of radius is supported (has to be cause it works)
Phil Mayers wrote:
Mikko Husari wrote:
Hi!
im currently running eap-tls with username and password (from ldap), but now we're having a bunch of "stupid" wlan-client machines, and we need an simple mac-auth (from ldap?) to the network. basic idea: (example from outside world) "so, no certificate and login credentials, cant let you in. but im on an vip-list!. Oh, i see, come on in, sorry for inconvenience", for now we are happy to get just that to work, next
Most APs will require a separate SSID for this I think - your MAC-auth one will need to be unauthenticated and the 802.1x one WPA (or whatever) and the beacon frames will reflect that.
Having said that, assuming your AP can authenticate the MACs against radius (many can - Ciscos can) then FreeRadius can do it fine, it's very simple. Do you have a specific question?
level would be something concerning vlans... i think (in the long run)
Again, provided the AP supports it, easy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
so, did i understand it correctly, ap should have some "special" radius+mac support to create a wlan-network that includes mac-authentication using centralized (radius) mac-address database?
Mikko Husari wrote:
Hi!
im currently running eap-tls with username and password (from ldap), but now we're having a bunch of "stupid" wlan-client machines, and we need an simple mac-auth (from ldap?) to the network. basic idea: (example from outside world) "so, no certificate and login credentials, cant let you in. but im on an vip-list!. Oh, i see, come on in, sorry for inconvenience", for now we are happy to get just that to work, next level would be something concerning vlans... i think (in the long run) we don't want to have too much accessibility in those stupid machines. poorly explained, not enough coffee in veins yet...
thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wouldn't i just be able to create hints rule that says "if calling-station-id == xx-xx-xx-xx-xx permit access" , or something similar?
Mikko Husari wrote:
Mikko Husari wrote:
Hi!
im currently running eap-tls with username and password (from ldap), but now we're having a bunch of "stupid" wlan-client machines, and we need an simple mac-auth (from ldap?) to the network. basic idea: (example from outside world) "so, no certificate and login credentials, cant let you in. but im on an vip-list!. Oh, i see, come on in, sorry for inconvenience", for now we are happy to get just that to work, next level would be something concerning vlans... i think (in the long run) we don't want to have too much accessibility in those stupid machines. poorly explained, not enough coffee in veins yet...
thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wouldn't i just be able to create hints rule that says "if calling-station-id == xx-xx-xx-xx-xx permit access" , or something similar?
Yes. Like I said, it's easy. My advice would be to use an rlm_passwd with a key of calling-station-id and use the authtype value on the module instance to set to Accept. As I said, your AP still needs to support sending the MAC to Radius on association. I suggest you consult your AP docs.
Phil Mayers wrote:
Mikko Husari wrote:
Mikko Husari wrote:
Hi!
im currently running eap-tls with username and password (from ldap), but now we're having a bunch of "stupid" wlan-client machines, and we need an simple mac-auth (from ldap?) to the network. basic idea: (example from outside world) "so, no certificate and login credentials, cant let you in. but im on an vip-list!. Oh, i see, come on in, sorry for inconvenience", for now we are happy to get just that to work, next level would be something concerning vlans... i think (in the long run) we don't want to have too much accessibility in those stupid machines. poorly explained, not enough coffee in veins yet...
thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wouldn't i just be able to create hints rule that says "if calling-station-id == xx-xx-xx-xx-xx permit access" , or something similar?
Yes. Like I said, it's easy.
My advice would be to use an rlm_passwd with a key of calling-station-id and use the authtype value on the module instance to set to Accept.
As I said, your AP still needs to support sending the MAC to Radius on association. I suggest you consult your AP docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
well, i managed to do a "module" that it checks the file and returns ok/not found/noop, but now my problem is that how to do so that it authorizes me according to the maclist... at the moment it checks the eap-tls module... well, theres two section on that radiusd.conf, authenticate and authorize, i tried listing that maclist module in the last and it complained that passwd modules are not allowed in there...
participants (2)
-
Mikko Husari -
Phil Mayers