RE: restricting access for users
Yes this is my experience as well. Running v 1.0.2 there was nothing in the change log for 1.0.3 to say this was fixed either. Just as a note when I posted these findings nothing came back. I was using an ldap backend as well. It would be great to have a detailed explaination of this one and maybe confirmation that it is not working or wheather is it syntax that causes the problem Alan -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Martial VdB Sent: 13 June 2005 08:22 To: freeradius-users@lists.freeradius.org Subject: restricting access for users Hi there, I’m a newby here so forgive if I ask obvious questions. I’m trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2 on a Linux Debian machine and it is working fine :) But I need to achieve the following setup: We have # cisco routers and switches who are locally managed by on site engineers. So these local engineers have to be able to log in to their devices and not be allowed to log in to devices on other sites. Next to these different site engineers there is a group called NOC. The NOC engineers need to access all devices on all sites. I’ve tried several setups by using the huntgroups and using system as authentication method but I can't get the huntgroup validation to work. It looks like the huntgroups are just ignored. Everyone can just enter any device as soon as their usrname and password is matched on the system. Did someone do a similar setup where users where restricted and with a general group that needs access everywhere or can someone tell me how I should take this on. It should be fairly easy I thought… Thanks for your help, it is highly appreciated, Martial _________________________________________________________________ Free blogging with MSN Spaces http://spaces.msn.com/?mkt=nl-be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005
Hi, I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? Thanks.
On Mon, Jun 13, 2005, Jefri bin Dahari wrote:
Hi,
I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that?
I check the MAC address during the authorization using an external perl script, and it works well. -- Alexandre Coninx
"Jefri bin Dahari" <jeff@mimos.my> wrote:
I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that?
It can do both. EAP is authentication, MAC checking isn't really authentication. What are you seeing in RADIUS packets, and what do you want to happen? Alan DeKok.
i personally think that it's completely useless. implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated... (even if i understand that might be necessary for current WiFi phones, etc., please be aware that under linux you can actually change the MAC address with one command...) ciao artur On 6/13/05, Alan DeKok <aland@ox.org> wrote:
"Jefri bin Dahari" <jeff@mimos.my> wrote:
I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that?
It can do both. EAP is authentication, MAC checking isn't really authentication.
What are you seeing in RADIUS packets, and what do you want to happen?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Artur Hecker <artur.hecker@gmail.com> wrote:
implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated...
Doing *both* ensures that known users only use known hardware to access the net. Sort of. Alan DeKok.
Alan, well, unfortunately not really. and most importantly: it does not assure the users use the known SOFTware to access the net. imho, hardware has never ever represented a problem so far. ciao artur On 6/14/05, Alan DeKok <aland@ox.org> wrote:
Artur Hecker <artur.hecker@gmail.com> wrote:
implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated...
Doing *both* ensures that known users only use known hardware to access the net. Sort of.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I use Cisco AP 1230 and I set on the authentication for "MAC and EAP authentication". On client side (Centrino/Windows XP), I set as mentioned in the HOW-TO for EAP-TLS. On Freeradius, I only see EAP authentication but no MAC authentication. Am I missing something? Please help. Thanks. ----- Original Message ----- From: "Alan DeKok" <aland@ox.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, June 14, 2005 01:03 Subject: Re: MAC+EAP authentication
"Jefri bin Dahari" <jeff@mimos.my> wrote:
I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that?
It can do both. EAP is authentication, MAC checking isn't really authentication.
What are you seeing in RADIUS packets, and what do you want to happen?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Jefri bin Dahari" <jeff@mimos.my> wrote:
authentication". On client side (Centrino/Windows XP), I set as mentioned in the HOW-TO for EAP-TLS. On Freeradius, I only see EAP authentication but no MAC authentication. Am I missing something? Please help.
Read your NAS documentation. There's nothing you can do to FreeRADIUS to get the NAS to behave differently. Alan DeKOk.
participants (5)
-
Alan DeKok -
alan walters -
Alexandre Coninx -
Artur Hecker -
Jefri bin Dahari