Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selection possible?
Hi FreeRADIUS user community I'm in search for some ideas for the following situation: Given are several WLANS controlled by a Siemens Hipath C2400 WLAN Controller with Siemens APs. The controller provides different WLANs identified by different ESSIDs. All WLAN Clients use IEEE802.1x authentication with EAP-TLS and client certificates. The authentication is done by FreeRADIUS 1.0.1 on Redhat EL AS4. At the moment, all clients use certificates and inside the FreeRADIUS eap-tls section the ca certificates are trusted. All Windows clients use a MS CA an have certificates with the Windows system name as the certificates common name. Other devices like mobile scanners or WLAN mobile phones (VoIP) have manually generated certificates with the device type as the certificates common name like "phone", "mobile scanner" or else. So long, it works. But now I was asked if it is possible to restrict the association of several device types to defined ESSIDs. There shoul be a WLAN "office" where all devices are allowed to connect if they have a valid certificate. Other ESSIDs should only accept special devices, eg. only devices with the certificates common name "phone" should be allowed to connect to the ESSID "voice". I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute. Is it possible with FreeRADIUS to match these requirements? To select based on the ESSID the device is connecting to? If the connecting ESSID is "office", all devices with a valid certificate are allowed to connect. If the ESSID is "voice", only devices with a valid certificate and with a certificates common name that contains "*phone*" are allowed to connect. If the ESSID is "production-1", only devices with a valid certificate and with a certificates common name that contains "*mobile scanner*" are allowed to connect. I've googled a lot, without success. All Freeradius documentation I've found about eap-tls only descibes how to accept all devices with a valid certificate. I've seen this scenario running with commercial RADIUS servers but I guess it might also be possible using FreeRADIUS. Any tip oder idea is welcome. -- Ulf Leichsenring ulf@leichsenring.net
Am Mittwoch, 1. April 2009 13:43:30 schrieb Ulf Leichsenring:
Hi FreeRADIUS user community
I'm in search for some ideas for the following situation:
Given are several WLANS controlled by a Siemens Hipath C2400 WLAN Controller with Siemens APs. The controller provides different WLANs identified by different ESSIDs. All WLAN Clients use IEEE802.1x authentication with EAP-TLS and client certificates. The authentication is done by FreeRADIUS 1.0.1 on Redhat EL AS4.
At the moment, all clients use certificates and inside the FreeRADIUS eap-tls section the ca certificates are trusted. All Windows clients use a MS CA an have certificates with the Windows system name as the certificates common name. Other devices like mobile scanners or WLAN mobile phones (VoIP) have manually generated certificates with the device type as the certificates common name like "phone", "mobile scanner" or else. So long, it works.
But now I was asked if it is possible to restrict the association of several device types to defined ESSIDs. There shoul be a WLAN "office" where all devices are allowed to connect if they have a valid certificate. Other ESSIDs should only accept special devices, eg. only devices with the certificates common name "phone" should be allowed to connect to the ESSID "voice".
I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute.
Is it possible with FreeRADIUS to match these requirements? To select based on the ESSID the device is connecting to? If the connecting ESSID is "office", all devices with a valid certificate are allowed to connect. If the ESSID is "voice", only devices with a valid certificate and with a certificates common name that contains "*phone*" are allowed to connect. If the ESSID is "production-1", only devices with a valid certificate and with a certificates common name that contains "*mobile scanner*" are allowed to connect.
I've googled a lot, without success. All Freeradius documentation I've found about eap-tls only descibes how to accept all devices with a valid certificate. I've seen this scenario running with commercial RADIUS servers but I guess it might also be possible using FreeRADIUS.
Any tip oder idea is welcome.
Hi, 1) Upgrade to an actual version of FR. 2.1.4 should do. 2) Edit your dictionary so that your FR understands the Siemens vendor spec attributes. 3) create a unlang (only FR version 2!) config to also check for the new essid attribute and according group membership should do the job. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
Michael Schwartzkopff schrieb:
1) Upgrade to an actual version of FR. 2.1.4 should do.
2) Edit your dictionary so that your FR understands the Siemens vendor spec attributes.
3) create a unlang (only FR version 2!) config to also check for the new essid attribute and according group membership should do the job.
Thanks. I will update and study how to create a ulang config. -- Ulf Leichsenring ulf@leichsenring.net
I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute.
And what VSA would it be? If you can find that attribute in the dictionaries - it is possible. If you can't - you can add it yourself to raddb/dictionary. It would be better to get the dictionary from Siemens and post it to this list so it can be included in freeradius distribution (I don't see dictionary.siemens in current server dictionaries). Ivan Kalik Kalik Informatika ISP
tnt@kalik.net schrieb:
And what VSA would it be? If you can find that attribute in the dictionaries - it is possible. If you can't - you can add it yourself to raddb/dictionary. It would be better to get the dictionary from Siemens and post it to this list so it can be included in freeradius distribution (I don't see dictionary.siemens in current server dictionaries).
I will ask Siemens to get their VSA dictionary and post it to the list if Siemens doesn't mind. -- Ulf Leichsenring ulf@leichsenring.net
participants (3)
-
Michael Schwartzkopff -
tnt@kalik.net -
Ulf Leichsenring