i have RADIUS authN and authZ using kerberos and ldap working in my environment. from here i want to add MAC Auth Bypass and finally full .1x when i get a CA up and running. i plan to have MAC Auth Bypass as an interim solution, and will leave it in place when full .1x is running as a fallback method. i would like to get dynamic vlan assignment configured too. with that said, i am not sure of a few things. i am running v3.0.3 on Fedora 20. i have found the wiki article for MAC Auth, but that is for v2.x and a lot has changed from v2 to v3. because i am looking to leverage ldap lookups for MAC Auth Bypass, the info in the wiki does not seem applicable. where do i start looking for info around MAC Auth Bypass and ldap? the ldap module does not have anything that i am able to see as appropriate. i would like to avoid using the files module, as the mac address info, etc is in my ldap already. once i get MAB working, i want to begin assigning the VLAN based on MAC class or address. is the MAC the right data point to make that determination? i see the desire to have full .1x use dynamic VLAN assignment, too, so i want to make sure the decisions are not counter to each other. i am ultimately looking to have full .1x, with MAC Auth Bypass as a fallback, and in either case (or both, if that could/should be) have the VLAN assigned based on the outcome of the auth (or auth bypass). my logic would be: if the device passes .1x, the device is assigned to VLAN_X. if the device fails .1x, the device is assigned to VLAN_Z. if the device cannot do .1x, and passes MAC Auth Bypass (i.e. the MAC is known and is in ldap), the device is assigned to VLAN_Y. if the device cannot do .1x and fails MAC Auth Bypass, the device is assigned to VLAN_Z. since full .1x is not going to be turned up right now, the last two pieces of the logic are what i am looking to pursue at this point. any pointers on where to start would be appreciated.
On Apr 7, 2015, at 9:18 AM, Brendan Kearney <bpk678@gmail.com> wrote:
i am running v3.0.3 on Fedora 20. i have found the wiki article for MAC Auth, but that is for v2.x and a lot has changed from v2 to v3.
Most of the changes are just re-arrangements of the files. See this URL for details: http://networkradius.com/doc/3.0.7/upgrading/
because i am looking to leverage ldap lookups for MAC Auth Bypass, the info in the wiki does not seem applicable. where do i start looking for info around MAC Auth Bypass and ldap? the ldap module does not have anything that i am able to see as appropriate. i would like to avoid using the files module, as the mac address info, etc is in my ldap already.
That's fine. You can use LDAP. But as always, the details are key. What is in LDAP? What does your schema look like? What does an LDAP query look like? To be honest, you can just write LDAP queries in the configuration: if ("%{ldap:ldap stuff...}") { # allow } There's no magic. Just get an LDAP query to see if the MAC is authorized, and put it into the "authorize" section. Then, if the user is authorized, allow them. Otherwise, reject them.
once i get MAB working, i want to begin assigning the VLAN based on MAC class or address. is the MAC the right data point to make that determination?
Yes.
i see the desire to have full .1x use dynamic VLAN assignment, too, so i want to make sure the decisions are not counter to each other.
Then make the decisions separately. And do the MAC AUTH lookups in LDAP *only* if there's no EAP-Message attribute: if (!EAP-Message && ("{%ldap:...} ) { # allow } The key is again in the details. Be sure that the MAC auth bypass code is run ONLY for MAC auth bypass packets. Look at the packets. Read the debug output. See what makes them different from other packets. Then, write checks that look for those differences.
i am ultimately looking to have full .1x, with MAC Auth Bypass as a fallback, and in either case (or both, if that could/should be) have the VLAN assigned based on the outcome of the auth (or auth bypass). my logic would be: if the device passes .1x, the device is assigned to VLAN_X.
That's easy.
if the device fails .1x, the device is assigned to VLAN_Z.
That's less easy. It won't work for WiFi. It can work for wired 802.1X, but it requires some hacks which are complex. Leave it for the last thing.
if the device cannot do .1x, and passes MAC Auth Bypass (i.e. the MAC is known and is in ldap), the device is assigned to VLAN_Y. if the device cannot do .1x and fails MAC Auth Bypass, the device is assigned to VLAN_Z.
That's easy: if (!EAP-Message) { if ("{%ldap:...} ) { # assign to VLAN_Y } else { # assign to VLAN_Z } } else { # 802.1X stuff } It's really a matter of writing down what you want in English. And then translating that to if / then / else statements. Alan DeKok.
On Tue, 2015-04-07 at 09:56 -0400, Alan DeKok wrote:
On Apr 7, 2015, at 9:18 AM, Brendan Kearney <bpk678@gmail.com> wrote:
i am running v3.0.3 on Fedora 20. i have found the wiki article for MAC Auth, but that is for v2.x and a lot has changed from v2 to v3.
Most of the changes are just re-arrangements of the files. See this URL for details:
http://networkradius.com/doc/3.0.7/upgrading/
because i am looking to leverage ldap lookups for MAC Auth Bypass, the info in the wiki does not seem applicable. where do i start looking for info around MAC Auth Bypass and ldap? the ldap module does not have anything that i am able to see as appropriate. i would like to avoid using the files module, as the mac address info, etc is in my ldap already.
That's fine. You can use LDAP. But as always, the details are key.
What is in LDAP? What does your schema look like? What does an LDAP query look like? everything, but the kitchen sink. i have the macAddress attribute from the ieee802Device class, the dhcpHWAddress from the dhcpHost class and i use the mac address and dhcp-client-identifier as a cn in the dhcpSubClass class.
macAddress/ieee802Device - generally used for objects in the Computers OU, and those devices are servers or statically assigned IPs. query: ldapsearch -LLL -h server1 -b ou=Computers,dc=bpk2,dc=com '(objectclass=ieee802Device)' macAddress dhcpHWAddress/dhcpHost - host definition data (ethernet address, dhcp-client-identifier, ddns-hostname) that is generally used to identify which dhcp pool to put the device into (i assign different ranges in a subnet based on proxy-able, unproxy-able and unknown clients) query: ldapsearch -LLL -h server1 -b ou=DHCP\ Hosts,cn=DHCP\ Config,ou=Daemons,dc=bpk2,dc=com '(objectclass=dhcpHost)' dhcpHWAddress cn/dhcpSubClass - used to specify which pool a device's address belongs to. usually has both mac address and dhcp-client-identifier. i am thinking about using this for radiusprofile attributes for vlan assignment, but may move it somewhere else. query: ldapsearch -LLL -h server1 -b ou=DHCP\ SubClasses,cn=DHCP\ Config,ou=Daemons,dc=bpk2,dc=com '(objectclass=dhcpSubClass)' cn note, the queries return all values. i am figuring i need to create a query that finds just the one mac address that being evaluated.
To be honest, you can just write LDAP queries in the configuration:
if ("%{ldap:ldap stuff...}") { # allow }
There's no magic. Just get an LDAP query to see if the MAC is authorized, and put it into the "authorize" section. Then, if the user is authorized, allow them. Otherwise, reject them. good to know. i'll start there.
once i get MAB working, i want to begin assigning the VLAN based on MAC class or address. is the MAC the right data point to make that determination?
Yes.
i see the desire to have full .1x use dynamic VLAN assignment, too, so i want to make sure the decisions are not counter to each other.
Then make the decisions separately. And do the MAC AUTH lookups in LDAP *only* if there's no EAP-Message attribute:
if (!EAP-Message && ("{%ldap:...} ) { # allow } i assume this is still in the "authorize" section?
The key is again in the details. Be sure that the MAC auth bypass code is run ONLY for MAC auth bypass packets. Look at the packets. Read the debug output. See what makes them different from other packets. Then, write checks that look for those differences.
i am ultimately looking to have full .1x, with MAC Auth Bypass as a fallback, and in either case (or both, if that could/should be) have the VLAN assigned based on the outcome of the auth (or auth bypass). my logic would be: if the device passes .1x, the device is assigned to VLAN_X.
That's easy.
if the device fails .1x, the device is assigned to VLAN_Z.
That's less easy. It won't work for WiFi. It can work for wired 802.1X, but it requires some hacks which are complex. Leave it for the last thing. curious, why wont it work for wifi, and what can be done around that?
if the device cannot do .1x, and passes MAC Auth Bypass (i.e. the MAC is known and is in ldap), the device is assigned to VLAN_Y. if the device cannot do .1x and fails MAC Auth Bypass, the device is assigned to VLAN_Z.
That's easy:
if (!EAP-Message) { if ("{%ldap:...} ) { # assign to VLAN_Y } else { # assign to VLAN_Z } } else { # 802.1X stuff }
It's really a matter of writing down what you want in English. And then translating that to if / then / else statements.
Alan DeKok. looks like i have my research and testing identified. thanks.
curious, why wont it work for wifi, and what can be done around that?
There's plenty of reading material out there but fundamentally (and very very briefly as I'm on a mobile) because you didn't get an access-accept with the required cipher keying pair you cannot join the SSID that has the wpa2/aes cipher on it. Likewise, if it's a challenge response method you can't just access accept either. It's an achilles heal of 802.1X wifi alan
On Apr 7, 2015, at 1:39 PM, Brendan Kearney <bpk678@gmail.com> wrote:
note, the queries return all values. i am figuring i need to create a query that finds just the one mac address that being evaluated.
That was really my point.
i assume this is still in the "authorize" section?
Yes.
curious, why wont it work for wifi, and what can be done around that?
WiFi creates per-session encryption keys. You can't bypass that. You can't work around it. You can either accept the user with the correct password, or reject them. That's it.
looks like i have my research and testing identified. thanks.
It's what I do. :) Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Brendan Kearney