This is what I am trying to accomplish: I want to use mac address based authentication with WPA+PEAP. I have finally figured out how to get my Wireless laptop to connect and get a DHCP address through freeradius using the certificates created with openssl using the CA.all script. How do I validate a user by mac address so that the users mac would be their username? What is the format of the MAC in the 'users' file? I have seen it as 01020304-0a020304 or something similiar, is that correct? Does anybody have a good suggestion on how to get the root.der cert to the client if they can't connect to the AP until they get authenticated, and they can't get authenticated until they have the cert. And finally, is there some sort of session management so that only one matching mac can be on at one time? Sorry if these are lame questions but I am completely lost at this and am reaching out for help. Thanks for any help, Jon
jonr@destar.net wrote:
I want to use mac address based authentication with WPA+PEAP. I have finally figured out how to get my Wireless laptop to connect and get a DHCP address through freeradius using the certificates created with openssl using the CA.all script.
Almost. FreeRADIUS doesn't do DHCP.
How do I validate a user by mac address so that the users mac would be their username?
What is the format of the MAC in the 'users' file? I have seen it as 01020304-0a020304 or something similiar, is that correct?
The format is whatever format the NAS sends in the User-Name attribute.
Does anybody have a good suggestion on how to get the root.der cert to the client if they can't connect to the AP until they get authenticated, and they can't get authenticated until they have the cert.
The customer walks the machine into your office. :) The alternative is to have a different SSID on the access point, that doesn't require authentication. Have it allow anyone on it's network (a private IP range), and have no routes to the external world. Then, set up a web page there that allows them to download the certificate.
And finally, is there some sort of session management so that only one matching mac can be on at one time?
doc/Simultaneous-Use
Sorry if these are lame questions but I am completely lost at this and am reaching out for help.
The questions are basic, but you've given enough detail of what you see and what you want to do that it's easy to respond. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Quoting Alan DeKok <aland@deployingradius.com>:
How do I validate a user by mac address so that the users mac would be their username?
What is the format of the MAC in the 'users' file? I have seen it as 01020304-0a020304 or something similiar, is that correct?
The format is whatever format the NAS sends in the User-Name attribute.
Thanks Alan, that helped more than you know. This is what I am trying to do, I have a user in my users file, before they are allowed to authenticate I want to also check that the MAC address sent in the Calling-Station-Id matches what is in the users file. So I would check not only for the username/passowrd but also that the MAC was the same for that user. Is checkval what I am looking for or is there a certain syntax for the users file that I am missing? I have read the /doc/processing_users_file, man 5 users and been going through the config files in the /etc/raddb. directory, with no success. Thanks again, Jon
jonr@destar.net wrote:
The format is whatever format the NAS sends in the User-Name attribute.
Thanks Alan, that helped more than you know.
It's little things like that that make a *big* difference in setting up a system for the first time. And yes, I cover all of this in my book, which will be done real soon now...
This is what I am trying to do, I have a user in my users file, before they are allowed to authenticate I want to also check that the MAC address sent in the Calling-Station-Id matches what is in the users file. So I would check not only for the username/passowrd but also that the MAC was the same for that user.
i.e. each user has a pre-defined MAC they're allowed to use?
Is checkval what I am looking for or is there a certain syntax for the users file that I am missing? I have read the /doc/processing_users_file, man 5 users and been going through the config files in the /etc/raddb. directory, with no success.
You can do: bob Calling-Station-Id != "0001....", Auth-Type := Reject But that's awkward to scale to many users. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Quoting Alan DeKok <aland@deployingradius.com>:
And yes, I cover all of this in my book, which will be done real soon now...
This is the book I am waiting to read. The O'Reilly book is a good primer but really doesn't get to the meat of what Radius can do.
You can do:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
Could I also do: bob password = "neil", Calling-Station-Id != "0001....", Auth-Type := Reject So that both pieces of information have to be present to be authenticated? Jon
jonr@destar.net wrote:
Quoting Alan DeKok <aland@deployingradius.com>:
And yes, I cover all of this in my book, which will be done real soon now...
This is the book I am waiting to read. The O'Reilly book is a good primer but really doesn't get to the meat of what Radius can do.
You can do:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
Could I also do:
bob password = "neil", Calling-Station-Id != "0001....", Auth-Type := Reject
So that both pieces of information have to be present to be authenticated?
No, that would always reject the user. You could do this: bob Calling-Station-Id != "0001....", Auth-Type := Reject bob User-Password := "neil" Can you instead use rlm_checkval like this: modules { passwd user2allowedmacs { filename = /etc/raddb/user2allowedmacs format = "*User-Name:Calling-Station-Id" hashsize = 100 allowmultiplekeys = yes } checkval usermacs { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } } authorize { preprocess user2allowedmacs usermacs # other stuff } /etc/raddb/user2allowedmacs: user1:001122334455 user1:aabbccddeeff user2:0123456789ab ...I think that ought to work?
Could I also do:
bob password = "neil", Calling-Station-Id != "0001....", Auth-Type := Reject
So that both pieces of information have to be present to be authenticated?
No, that would always reject the user. You could do this:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
bob User-Password := "neil"
Well thats too easy. :)
Can you instead use rlm_checkval like this:
modules { passwd user2allowedmacs { filename = /etc/raddb/user2allowedmacs format = "*User-Name:Calling-Station-Id" hashsize = 100 allowmultiplekeys = yes } checkval usermacs { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } }
Which file would the above be placed in and does it need to be placed in a certain area of the file or can it just be added to the bottom of the file? And when I see 'rlm_' I think realm which makes me think ldap or kerberos, neither of which I am using, will this be a problem?
authorize { preprocess user2allowedmacs usermacs # other stuff }
So whatever I name my module I will have to add to the authorize stanza in the radius.conf file, correct?
/etc/raddb/user2allowedmacs:
user1:001122334455 user1:aabbccddeeff user2:0123456789ab
...I think that ought to work?
Thanks for the info, this is gold! Jon
jonr@destar.net wrote:
Could I also do:
bob password = "neil", Calling-Station-Id != "0001....", Auth-Type := Reject So that both pieces of information have to be present to be authenticated? No, that would always reject the user. You could do this:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
bob User-Password := "neil"
Well thats too easy. :)
Can you instead use rlm_checkval like this:
modules { passwd user2allowedmacs { filename = /etc/raddb/user2allowedmacs format = "*User-Name:Calling-Station-Id" hashsize = 100 allowmultiplekeys = yes } checkval usermacs { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } }
Which file would the above be placed in and does it need to be placed in a certain area of the file or can it just be added to the bottom of the file? And
It's a partial fragment of radiusd.conf - you would need to inspect how the radiusd.conf hierarchial config works, and put the two module definitions in along with anything else you need
when I see 'rlm_' I think realm which makes me think ldap or kerberos, neither of which I am using, will this be a problem?
rlm == radius loadable module, nothing to do with realms (although there is an rlm_realm for dealing with realms!)
authorize { preprocess user2allowedmacs usermacs # other stuff }
So whatever I name my module I will have to add to the authorize stanza in the radius.conf file, correct?
Yep
/etc/raddb/user2allowedmacs:
user1:001122334455 user1:aabbccddeeff user2:0123456789ab
...I think that ought to work?
Thanks for the info, this is gold!
Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looks good, i was also wondering if this could be done with mysql as backend ?! Cheers, Collen Phil Mayers wrote:
jonr@destar.net wrote:
Could I also do:
bob password = "neil", Calling-Station-Id != "0001....", Auth-Type := Reject So that both pieces of information have to be present to be authenticated? No, that would always reject the user. You could do this:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
bob User-Password := "neil"
Well thats too easy. :)
Can you instead use rlm_checkval like this:
modules { passwd user2allowedmacs { filename = /etc/raddb/user2allowedmacs format = "*User-Name:Calling-Station-Id" hashsize = 100 allowmultiplekeys = yes } checkval usermacs { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } }
Which file would the above be placed in and does it need to be placed in a certain area of the file or can it just be added to the bottom of the file? And
It's a partial fragment of radiusd.conf - you would need to inspect how the radiusd.conf hierarchial config works, and put the two module definitions in along with anything else you need
when I see 'rlm_' I think realm which makes me think ldap or kerberos, neither of which I am using, will this be a problem?
rlm == radius loadable module, nothing to do with realms (although there is an rlm_realm for dealing with realms!)
authorize { preprocess user2allowedmacs usermacs # other stuff }
So whatever I name my module I will have to add to the authorize stanza in the radius.conf file, correct?
Yep
/etc/raddb/user2allowedmacs:
user1:001122334455 user1:aabbccddeeff user2:0123456789ab
...I think that ought to work?
Thanks for the info, this is gold!
Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, we have deployed an OpenSource MAC based solution which optionally tied to FreeRadius. With this you can have better control of the MAC addresses that you have in your network. - For non 802.1x capable devices, we have the option of using "VMPS" or performing a MAC-Auth-Bypass if your switch allows it. - For 802.1x we use FreeRadius 1.1.3 configured to authenticate the user against a Windows Domain controller and after checking the user credentials we check for the MAC address to assign the Vlan. - A virtual machine has been released with the software needed to make it easy to test. You only have to download it and configure it. We have a MySQL backend and a Windows GUI & Web GUI for administering the MAC addresses that automagically come into the database. Please go to http://www.freenac.net and let us know what you think of our system. Regards, Hector -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org [mailto:freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org] Im Auftrag von Collen Blijenberg Gesendet: Mittwoch, 29. November 2006 11:29 An: FreeRadius users mailing list Betreff: Re: Mac based auth Looks good, i was also wondering if this could be done with mysql as backend ?! Cheers, Collen Phil Mayers wrote:
jonr@destar.net wrote:
Could I also do:
bob password = "neil", Calling-Station-Id != "0001....", Auth-Type := Reject So that both pieces of information have to be present to be authenticated? No, that would always reject the user. You could do this:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
bob User-Password := "neil"
Well thats too easy. :)
Can you instead use rlm_checkval like this:
modules { passwd user2allowedmacs { filename = /etc/raddb/user2allowedmacs format = "*User-Name:Calling-Station-Id" hashsize = 100 allowmultiplekeys = yes } checkval usermacs { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } }
Which file would the above be placed in and does it need to be placed in a certain area of the file or can it just be added to the bottom of the file? And
It's a partial fragment of radiusd.conf - you would need to inspect how the radiusd.conf hierarchial config works, and put the two module definitions in along with anything else you need
when I see 'rlm_' I think realm which makes me think ldap or kerberos, neither of which I am using, will this be a problem?
rlm == radius loadable module, nothing to do with realms (although there is an rlm_realm for dealing with realms!)
authorize { preprocess user2allowedmacs usermacs # other stuff }
So whatever I name my module I will have to add to the authorize stanza in the radius.conf file, correct?
Yep
/etc/raddb/user2allowedmacs:
user1:001122334455 user1:aabbccddeeff user2:0123456789ab
...I think that ought to work?
Thanks for the info, this is gold!
Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan and Phil, Thanks a lot for all the help in getting this set up. I now have a username/password pair as well as also requiring the MAC to be present in the authentication. Your help was invaluable to me for getting this working right and for clearing up some of the assumptions I had made while reading the docs. Thanks again, Jon
Hi, i was following this thread bcoz are also interested in authenticate computers by MAC address. i have Freeradius up and running, based on - Username - Password - Mac now i followed the conversation, and tried the following in my users file. DEFAULT Calling-Station-Id == "<macaddres>" "gebruiker" Calling-Station-Id == "<macaddres>" "gebruiker" Calling-Station-Id != "<macaddres>", Auth-Type :=Reject non of the above works. the mac gets checked. that part works, but some how it gets stuck on the password part !? (and there isn't anny!) it basicly has to become a mixed environment, where students get a username/password and our own laptops just do mac authentication. Greetz, Collen.
You can do:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
participants (5)
-
Alan DeKok -
Collen Blijenberg -
Hector.Ortiz@swisscom.com -
jonr@destar.net -
Phil Mayers