MAC authentication using FreeRadius
Hi everyone, i'm looking in a way to set-up MAC authentication using FreeRadius and MySQL and any help would be much appreciated :) I have a scenario where multiple shops will have guest authenticating and when someone register to their public wi-fi, we want their MAC to be stored in the SQL database and do a check against it using MAC authentication on the Aruba IAPs. I guess I need to find a way to capture the Calling-Station-Id and store it into a table into the database and then I need to do a check against it for every MAC it receives as a "username and password' Right now I can authenticate to my captive portal using FreeRadius + MySQL, I can also enable MAC auth on my IAP and add a user with my phone's MAC address as a username and password and it's working. I'm really looking into a way to automate this :) Thanks a lot
Hi, Your question is not very clear. Presuming that you want to store the MAC's of whoever is connecting
this is already being done in radacct table if people are registering they must be connected right? and when they are connected why do you need their MAC address after they are connected what help would that do?
BR, Anirudh Malhotra On 12/29/15 09:11 AM, "Max .M" <mmourand@gmail.com> wrote:
Hi everyone,
i'm looking in a way to set-up MAC authentication using FreeRadius and MySQL and any help would be much appreciated :)
I have a scenario where multiple shops will have guest authenticating and when someone register to their public wi-fi, we want their MAC to be stored in the SQL database and do a check against it using MAC authentication on the Aruba IAPs.
I guess I need to find a way to capture the Calling-Station-Id and store it into a table into the database and then I need to do a check against it for every MAC it receives as a "username and password'
Right now I can authenticate to my captive portal using FreeRadius + MySQL, I can also enable MAC auth on my IAP and add a user with my phone's MAC address as a username and password and it's working.
I'm really looking into a way to automate this :)
Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, thanks for taking the time to read. When this person that registered will leave the shop and come back 3 days later, I want it to bypass the captive portal. This is why I will activate MAC authentication on the access point. I just need a way to tell the access point : if mac adress of MAC auth is in SQL database, then authenticate (bypass captive portal) Thank you, 2015-12-29 2:10 GMT-05:00 Anirudh Malhotra <amalhotra.sp-dl@nkn.in>:
Hi,
Your question is not very clear. Presuming that you want to store the MAC's of whoever is connecting
this is already being done in radacct table if people are registering they must be connected right? and when they are connected why do you need their MAC address after they are connected what help would that do?
BR, Anirudh Malhotra
On 12/29/15 09:11 AM, "Max .M" <mmourand@gmail.com> wrote:
Hi everyone,
i'm looking in a way to set-up MAC authentication using FreeRadius and MySQL and any help would be much appreciated :)
I have a scenario where multiple shops will have guest authenticating and when someone register to their public wi-fi, we want their MAC to be
stored
in the SQL database and do a check against it using MAC authentication on the Aruba IAPs.
I guess I need to find a way to capture the Calling-Station-Id and store it into a table into the database and then I need to do a check against it for every MAC it receives as a "username and password'
Right now I can authenticate to my captive portal using FreeRadius + MySQL, I can also enable MAC auth on my IAP and add a user with my phone's MAC address as a username and password and it's working.
I'm really looking into a way to automate this :)
Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, So when you are registering the user you must be keeping the MAC of the user, if not, keep it in whatever registering table you are keeping rest of the details. Then use unlang in authorize section to check calling station id if it matches change auth-type to accept. I wouldn't suggest this though, as MACs can be spoofed easily. The better method would be to use encrypted cookies(just like remember my password ones) so that the captive portal gets those cookies and lets user log in. BR, Anirudh Malhotra On 12/29/15 12:54 PM, "Max .M" <mmourand@gmail.com> wrote: > > Hi, > > thanks for taking the time to read. > > When this person that registered will leave the shop and come back 3 days > later, I want it to bypass the captive portal. This is why I will activate > MAC authentication on the access point. > I just need a way to tell the access point : if mac adress of MAC auth is > in SQL database, then authenticate (bypass captive portal) > > Thank you, > > 2015-12-29 2:10 GMT-05:00 Anirudh Malhotra <amalhotra.sp-dl@nkn.in>: > > > Hi, > > > > Your question is not very clear. > > Presuming that you want to store the MAC's of whoever is connecting > > > this is already being done in radacct table > > if people are registering they must be connected right? and when they are > > connected why do you need their MAC address after they are connected what > > help would that do? > > > > BR, > > Anirudh Malhotra > > > > On 12/29/15 09:11 AM, "Max .M" <mmourand@gmail.com> wrote: > > > > > > Hi everyone, > > > > > > i'm looking in a way to set-up MAC authentication using FreeRadius and > > > MySQL and any help would be much appreciated :) > > > > > > I have a scenario where multiple shops will have guest authenticating and > > > when someone register to their public wi-fi, we want their MAC to be > > stored > > > in the SQL database and do a check against it using MAC authentication on > > > the Aruba IAPs. > > > > > > I guess I need to find a way to capture the Calling-Station-Id and store > > it > > > into a table into the database and then I need to do a check against it > > for > > > every MAC it receives as a "username and password' > > > > > > Right now I can authenticate to my captive portal using FreeRadius + > > MySQL, > > > I can also enable MAC auth on my IAP and add a user with my phone's MAC > > > address as a username and password and it's working. > > > > > > I'm really looking into a way to automate this :) > > > > > > Thanks a lot > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >
Could you give me more details or a link explaining how to achieve this please ? I'm new to freeradius and all this, this would be really helpful. Also, security is not an issue for them, also it's just basic guest access on a separate network. Thanks 2015-12-29 2:33 GMT-05:00 Anirudh Malhotra <amalhotra.sp-dl@nkn.in>: > Hi, > > So when you are registering the user you must be keeping the MAC of the > user, if not, keep it in whatever registering table you are keeping rest of > the details. > Then use unlang in authorize section to check calling station id if it > matches change auth-type to accept. > > I wouldn't suggest this though, as MACs can be spoofed easily. The better > method would be to use encrypted cookies(just like remember my password > ones) so that the captive portal gets those cookies and lets user log in. > > BR, > Anirudh Malhotra > > On 12/29/15 12:54 PM, "Max .M" <mmourand@gmail.com> wrote: > > > > Hi, > > > > thanks for taking the time to read. > > > > When this person that registered will leave the shop and come back 3 days > > later, I want it to bypass the captive portal. This is why I will > activate > > MAC authentication on the access point. > > I just need a way to tell the access point : if mac adress of MAC auth is > > in SQL database, then authenticate (bypass captive portal) > > > > Thank you, > > > > 2015-12-29 2:10 GMT-05:00 Anirudh Malhotra <amalhotra.sp-dl@nkn.in>: > > > > > Hi, > > > > > > Your question is not very clear. > > > Presuming that you want to store the MAC's of whoever is connecting > > > > this is already being done in radacct table > > > if people are registering they must be connected right? and when they > are > > > connected why do you need their MAC address after they are connected > what > > > help would that do? > > > > > > BR, > > > Anirudh Malhotra > > > > > > On 12/29/15 09:11 AM, "Max .M" <mmourand@gmail.com> wrote: > > > > > > > > Hi everyone, > > > > > > > > i'm looking in a way to set-up MAC authentication using FreeRadius > and > > > > MySQL and any help would be much appreciated :) > > > > > > > > I have a scenario where multiple shops will have guest > authenticating and > > > > when someone register to their public wi-fi, we want their MAC to be > > > stored > > > > in the SQL database and do a check against it using MAC > authentication on > > > > the Aruba IAPs. > > > > > > > > I guess I need to find a way to capture the Calling-Station-Id and > store > > > it > > > > into a table into the database and then I need to do a check against > it > > > for > > > > every MAC it receives as a "username and password' > > > > > > > > Right now I can authenticate to my captive portal using FreeRadius + > > > MySQL, > > > > I can also enable MAC auth on my IAP and add a user with my phone's > MAC > > > > address as a username and password and it's working. > > > > > > > > I'm really looking into a way to automate this :) > > > > > > > > Thanks a lot > > > > - > > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
man unlang
freeradius.org/radiusd/man/unlang.html
basically you need something like
if ("%{sql:SELECT count(*) FROM your_table WHERE mac_Address = '%{Calling-Station-Id}'}" > 0) {
update control {
Auth-Type := Accept
}
}
On 12/29/15 01:18 PM, "Max .M" <mmourand@gmail.com> wrote:
>
> Could you give me more details or a link explaining how to achieve this
> please ?
> I'm new to freeradius and all this, this would be really helpful.
>
> Also, security is not an issue for them, also it's just basic guest access
> on a separate network.
>
> Thanks
>
> 2015-12-29 2:33 GMT-05:00 Anirudh Malhotra <amalhotra.sp-dl@nkn.in>:
>
> > Hi,
> >
> > So when you are registering the user you must be keeping the MAC of the
> > user, if not, keep it in whatever registering table you are keeping rest of
> > the details.
> > Then use unlang in authorize section to check calling station id if it
> > matches change auth-type to accept.
> >
> > I wouldn't suggest this though, as MACs can be spoofed easily. The better
> > method would be to use encrypted cookies(just like remember my password
> > ones) so that the captive portal gets those cookies and lets user log in.
> >
> > BR,
> > Anirudh Malhotra
> >
> > On 12/29/15 12:54 PM, "Max .M" <mmourand@gmail.com> wrote:
> > >
> > > Hi,
> > >
> > > thanks for taking the time to read.
> > >
> > > When this person that registered will leave the shop and come back 3 days
> > > later, I want it to bypass the captive portal. This is why I will
> > activate
> > > MAC authentication on the access point.
> > > I just need a way to tell the access point : if mac adress of MAC auth is
> > > in SQL database, then authenticate (bypass captive portal)
> > >
> > > Thank you,
> > >
> > > 2015-12-29 2:10 GMT-05:00 Anirudh Malhotra <amalhotra.sp-dl@nkn.in>:
> > >
> > > > Hi,
> > > >
> > > > Your question is not very clear.
> > > > Presuming that you want to store the MAC's of whoever is connecting
> > > > > this is already being done in radacct table
> > > > if people are registering they must be connected right? and when they
> > are
> > > > connected why do you need their MAC address after they are connected
> > what
> > > > help would that do?
> > > >
> > > > BR,
> > > > Anirudh Malhotra
> > > >
> > > > On 12/29/15 09:11 AM, "Max .M" <mmourand@gmail.com> wrote:
> > > > >
> > > > > Hi everyone,
> > > > >
> > > > > i'm looking in a way to set-up MAC authentication using FreeRadius
> > and
> > > > > MySQL and any help would be much appreciated :)
> > > > >
> > > > > I have a scenario where multiple shops will have guest
> > authenticating and
> > > > > when someone register to their public wi-fi, we want their MAC to be
> > > > stored
> > > > > in the SQL database and do a check against it using MAC
> > authentication on
> > > > > the Aruba IAPs.
> > > > >
> > > > > I guess I need to find a way to capture the Calling-Station-Id and
> > store
> > > > it
> > > > > into a table into the database and then I need to do a check against
> > it
> > > > for
> > > > > every MAC it receives as a "username and password'
> > > > >
> > > > > Right now I can authenticate to my captive portal using FreeRadius +
> > > > MySQL,
> > > > > I can also enable MAC auth on my IAP and add a user with my phone's
> > MAC
> > > > > address as a username and password and it's working.
> > > > >
> > > > > I'm really looking into a way to automate this :)
> > > > >
> > > > > Thanks a lot
> > > > > -
> > > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Thank you Anirudh,
I'm a bit new to FreeRadius, would you mind giving more details on where to
enter those strings and how to put his in place ?
Thanks !
2015-12-29 5:27 GMT-05:00 Anirudh Malhotra <amalhotra.sp-dl@nkn.in>:
> man unlang
> freeradius.org/radiusd/man/unlang.html
>
> basically you need something like
> if ("%{sql:SELECT count(*) FROM your_table WHERE mac_Address =
> '%{Calling-Station-Id}'}" > 0) {
> update control {
> Auth-Type := Accept
>
> }
> }
>
>
> On 12/29/15 01:18 PM, "Max .M" <mmourand@gmail.com> wrote:
> >
> > Could you give me more details or a link explaining how to achieve this
> > please ?
> > I'm new to freeradius and all this, this would be really helpful.
> >
> > Also, security is not an issue for them, also it's just basic guest
> access
> > on a separate network.
> >
> > Thanks
> >
> > 2015-12-29 2:33 GMT-05:00 Anirudh Malhotra <amalhotra.sp-dl@nkn.in>:
> >
> > > Hi,
> > >
> > > So when you are registering the user you must be keeping the MAC of the
> > > user, if not, keep it in whatever registering table you are keeping
> rest of
> > > the details.
> > > Then use unlang in authorize section to check calling station id if it
> > > matches change auth-type to accept.
> > >
> > > I wouldn't suggest this though, as MACs can be spoofed easily. The
> better
> > > method would be to use encrypted cookies(just like remember my password
> > > ones) so that the captive portal gets those cookies and lets user log
> in.
> > >
> > > BR,
> > > Anirudh Malhotra
> > >
> > > On 12/29/15 12:54 PM, "Max .M" <mmourand@gmail.com> wrote:
> > > >
> > > > Hi,
> > > >
> > > > thanks for taking the time to read.
> > > >
> > > > When this person that registered will leave the shop and come back 3
> days
> > > > later, I want it to bypass the captive portal. This is why I will
> > > activate
> > > > MAC authentication on the access point.
> > > > I just need a way to tell the access point : if mac adress of MAC
> auth is
> > > > in SQL database, then authenticate (bypass captive portal)
> > > >
> > > > Thank you,
> > > >
> > > > 2015-12-29 2:10 GMT-05:00 Anirudh Malhotra <amalhotra.sp-dl@nkn.in>:
> > > >
> > > > > Hi,
> > > > >
> > > > > Your question is not very clear.
> > > > > Presuming that you want to store the MAC's of whoever is connecting
> > > > > > this is already being done in radacct table
> > > > > if people are registering they must be connected right? and when
> they
> > > are
> > > > > connected why do you need their MAC address after they are
> connected
> > > what
> > > > > help would that do?
> > > > >
> > > > > BR,
> > > > > Anirudh Malhotra
> > > > >
> > > > > On 12/29/15 09:11 AM, "Max .M" <mmourand@gmail.com> wrote:
> > > > > >
> > > > > > Hi everyone,
> > > > > >
> > > > > > i'm looking in a way to set-up MAC authentication using
> FreeRadius
> > > and
> > > > > > MySQL and any help would be much appreciated :)
> > > > > >
> > > > > > I have a scenario where multiple shops will have guest
> > > authenticating and
> > > > > > when someone register to their public wi-fi, we want their MAC
> to be
> > > > > stored
> > > > > > in the SQL database and do a check against it using MAC
> > > authentication on
> > > > > > the Aruba IAPs.
> > > > > >
> > > > > > I guess I need to find a way to capture the Calling-Station-Id
> and
> > > store
> > > > > it
> > > > > > into a table into the database and then I need to do a check
> against
> > > it
> > > > > for
> > > > > > every MAC it receives as a "username and password'
> > > > > >
> > > > > > Right now I can authenticate to my captive portal using
> FreeRadius +
> > > > > MySQL,
> > > > > > I can also enable MAC auth on my IAP and add a user with my
> phone's
> > > MAC
> > > > > > address as a username and password and it's working.
> > > > > >
> > > > > > I'm really looking into a way to automate this :)
> > > > > >
> > > > > > Thanks a lot
> > > > > > -
> > > > > > List info/subscribe/unsubscribe? See
> > > > > http://www.freeradius.org/list/users.html
> > > > > >
> > > > > -
> > > > > List info/subscribe/unsubscribe? See
> > > > > http://www.freeradius.org/list/users.html
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Hi,
Put it in authorize, and please read/research more before asking questions it will help you in understanding technologies more. I hope you dont mind :)
BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in@gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in
On 29 Dec 2015, 22:17 +0530, Max .M<mmourand@gmail.com>, wrote:
> Thank you Anirudh,
>
> I'm a bit new to FreeRadius, would you mind giving more details on where to
> enter those strings and how to put his in place ?
>
> Thanks !
>
> 2015-12-29 5:27 GMT-05:00 Anirudh Malhotra<amalhotra.sp-dl@nkn.in>:
>
> > man unlang
> > freeradius.org/radiusd/man/unlang.html
> >
> > basically you need something like
> > if ("%{sql:SELECT count(*) FROM your_table WHERE mac_Address =
> > '%{Calling-Station-Id}'}">0) {
> > update control {
> > Auth-Type := Accept
> >
> > }
> > }
> >
> >
> > On 12/29/15 01:18 PM, "Max .M"<mmourand@gmail.com>wrote:
> > >
> > > Could you give me more details or a link explaining how to achieve this
> > > please ?
> > > I'm new to freeradius and all this, this would be really helpful.
> > >
> > > Also, security is not an issue for them, also it's just basic guest
> > access
> > > on a separate network.
> > >
> > > Thanks
> > >
> > > 2015-12-29 2:33 GMT-05:00 Anirudh Malhotra<amalhotra.sp-dl@nkn.in>:
> > >
> > > > Hi,
> > > >
> > > > So when you are registering the user you must be keeping the MAC of the
> > > > user, if not, keep it in whatever registering table you are keeping
> > rest of
> > > > the details.
> > > > Then use unlang in authorize section to check calling station id if it
> > > > matches change auth-type to accept.
> > > >
> > > > I wouldn't suggest this though, as MACs can be spoofed easily. The
> > better
> > > > method would be to use encrypted cookies(just like remember my password
> > > > ones) so that the captive portal gets those cookies and lets user log
> > in.
> > > >
> > > > BR,
> > > > Anirudh Malhotra
> > > >
> > > > On 12/29/15 12:54 PM, "Max .M"<mmourand@gmail.com>wrote:
> > > > >
> > > > > Hi,
> > > > >
> > > > > thanks for taking the time to read.
> > > > >
> > > > > When this person that registered will leave the shop and come back 3
> > days
> > > > > later, I want it to bypass the captive portal. This is why I will
> > > > activate
> > > > > MAC authentication on the access point.
> > > > > I just need a way to tell the access point : if mac adress of MAC
> > auth is
> > > > > in SQL database, then authenticate (bypass captive portal)
> > > > >
> > > > > Thank you,
> > > > >
> > > > > 2015-12-29 2:10 GMT-05:00 Anirudh Malhotra<amalhotra.sp-dl@nkn.in>:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Your question is not very clear.
> > > > > > Presuming that you want to store the MAC's of whoever is connecting
> > > > > > > this is already being done in radacct table
> > > > > > if people are registering they must be connected right? and when
> > they
> > > > are
> > > > > > connected why do you need their MAC address after they are
> > connected
> > > > what
> > > > > > help would that do?
> > > > > >
> > > > > > BR,
> > > > > > Anirudh Malhotra
> > > > > >
> > > > > > On 12/29/15 09:11 AM, "Max .M"<mmourand@gmail.com>wrote:
> > > > > > >
> > > > > > > Hi everyone,
> > > > > > >
> > > > > > > i'm looking in a way to set-up MAC authentication using
> > FreeRadius
> > > > and
> > > > > > > MySQL and any help would be much appreciated :)
> > > > > > >
> > > > > > > I have a scenario where multiple shops will have guest
> > > > authenticating and
> > > > > > > when someone register to their public wi-fi, we want their MAC
> > to be
> > > > > > stored
> > > > > > > in the SQL database and do a check against it using MAC
> > > > authentication on
> > > > > > > the Aruba IAPs.
> > > > > > >
> > > > > > > I guess I need to find a way to capture the Calling-Station-Id
> > and
> > > > store
> > > > > > it
> > > > > > > into a table into the database and then I need to do a check
> > against
> > > > it
> > > > > > for
> > > > > > > every MAC it receives as a "username and password'
> > > > > > >
> > > > > > > Right now I can authenticate to my captive portal using
> > FreeRadius +
> > > > > > MySQL,
> > > > > > > I can also enable MAC auth on my IAP and add a user with my
> > phone's
> > > > MAC
> > > > > > > address as a username and password and it's working.
> > > > > > >
> > > > > > > I'm really looking into a way to automate this :)
> > > > > > >
> > > > > > > Thanks a lot
> > > > > > > -
> > > > > > > List info/subscribe/unsubscribe? See
> > > > > > http://www.freeradius.org/list/users.html
> > > > > > >
> > > > > > -
> > > > > > List info/subscribe/unsubscribe? See
> > > > > > http://www.freeradius.org/list/users.html
> > > > > -
> > > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Dec 29, 2015 at 02:45:51AM -0500, Max .M wrote:
Also, security is not an issue for them, also it's just basic guest access on a separate network.
then why don't you just make it a hotspot with no security at all? apps should encrypt end-to-end so you should be in clear legally. you could probably hide the SSID to keep flies off and your usage low (for hotspot best is to have unlimited usage though). and _then_ monitor (can be automated) the MACs and pretty machine names. that should give you a good gauge of who might be [ab]using the hotspot excessively and make an educated guess on which one to block. this all can be circumvented of course but so is user_name/password since it's impossible to install certificate on every machine of every clientèle. now someone please correct me if i'm wrong :) jrun
participants (4)
-
Anirudh Malhotra -
Anirudh Malhotra -
jrun -
Max .M