FreeRADIUS Authentication/Authorization
Hello! We have an enviroment with FreeRADIUS working perfectly. Today, we authenticate users against an Active Directory with domain credentials. Then, in Microsoft NPS, we filter the groups of the user to match the requirements to connect to the WiFi. They must: 1) Have an AD user account joined to an specific group; 2) Have its device's mac address added to a specific list in a MySQL database. This way we can control how many devices each user can connect to our WiFi (whis is important in our company). The thing is: we have a situation where an user will be able to connect to wifi without having an AD credential. In this case I wonder if it possible to ask for the credential only if the machine is not one of these special machines. The logic would be: if (machine is one of the special) { check in the database for the mac and authorize without ad credentials } else { ask for credentials and go on via the normal way } I tried to change this logic in the sites-available/default, but it keeps asking password no matter the order of the validations. Any help would be appreciate. :) Regards, Luiz Fernando
On Wed, Nov 09, 2016 at 10:17:06AM -0200, Luiz Fernando Mizael Meier wrote:
We have an enviroment with FreeRADIUS working perfectly. Today, we authenticate users against an Active Directory with domain credentials. ... wifi without having an AD credential. In this case I wonder if it possible
You can't do only MAC auth with EAP on wireless. The closest you can get is probably to have a well-known shared username/password for those devices. But why? Or do a backwards step and spin up a separate PSK SSID. You can add local users in FreeRADIUS without having to auth against AD if you need to do that. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hello Matthew! Today we have an PSK SSID and it is a mess. We change the password and after a week the whole world already know the password again. Let me clarify our internal situation, then you can give me some ideas. This enviroment is intended to run some kind of BYOD thing. Today, we have 2 SSIDs running in all the sites: 1 for clients(that leads directly to te internet without passing over our corporative network) and another for employee use (with certificate validation, just computers). Now we need to give users the possibility to have access to WhatsApp for sales in their personal cellphone. Wondering in a way to give them access to the internet and have some control of devices, we though in FreeRADIUS in the way I explained before. No problem untill then. Now we have some computers to run specific softwares. This machines aren't joined our domain and we don't want them to. They are just a terminal for specific use only. The problem with the PSK is the security. If we could validate this machines via mac and not asking for username/password would be the perfect scenario. I though I could do this authorization based in the link below, but I think I am misunderstanding something. https://wiki.freeradius.org/guide/mac-auth#mac-auth-and-802-1x_raddb-sites-a... Luiz 2016-11-09 10:24 GMT-02:00 Matthew Newton <mcn4@leicester.ac.uk>:
On Wed, Nov 09, 2016 at 10:17:06AM -0200, Luiz Fernando Mizael Meier wrote:
We have an enviroment with FreeRADIUS working perfectly. Today, we authenticate users against an Active Directory with domain credentials. ... wifi without having an AD credential. In this case I wonder if it possible
You can't do only MAC auth with EAP on wireless.
The closest you can get is probably to have a well-known shared username/password for those devices. But why?
Or do a backwards step and spin up a separate PSK SSID.
You can add local users in FreeRADIUS without having to auth against AD if you need to do that.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Wed, Nov 09, 2016 at 10:45:49AM -0200, Luiz Fernando Mizael Meier wrote:
Today we have an PSK SSID and it is a mess. We change the password and after a week the whole world already know the password again.
Which is the problem with shared secrets.
Now we have some computers to run specific softwares. This machines aren't joined our domain and we don't want them to. They are just a terminal for specific use only. The problem with the PSK is the security.
Sounds like the ideal situation for EAP-TLS and certificates.
If we could validate this machines via mac and not asking for username/password would be the perfect scenario. I though I could do this authorization based in the link below, but I think I am misunderstanding something.
The options are: - 802.1X (EAP) on its own - 802.1X *and* MAC auth - MAC auth As this is wireless, you're stuck with the 802.1X bit unless you do PSK. So you can either do it on its own, or in combination with MAC auth. Some wireless systems will let you do PSK with MAC auth against RADIUS IIRC. But MAC auth isn't really "auth", more like a filter with very large holes. So as I wrote before. You can't do 802.1X/EAP MAC-auth only. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Matthew, Thanks for you answer. We're been thinking and we'll problably go to sql. Today we already validate via sql the mac addresses (in authorization step). I was thinking in some way to ignore the username/password(in authentication step) if it is one of these special machines, once there is no way to not prompt them to. Thanks in advance. Luiz 2016-11-09 11:24 GMT-02:00 Matthew Newton <mcn4@leicester.ac.uk>:
On Wed, Nov 09, 2016 at 10:45:49AM -0200, Luiz Fernando Mizael Meier wrote:
Today we have an PSK SSID and it is a mess. We change the password and after a week the whole world already know the password again.
Which is the problem with shared secrets.
Now we have some computers to run specific softwares. This machines aren't joined our domain and we don't want them to. They are just a terminal for specific use only. The problem with the PSK is the security.
Sounds like the ideal situation for EAP-TLS and certificates.
If we could validate this machines via mac and not asking for username/password would be the perfect scenario. I though I could do this authorization based in the link below, but I think I am misunderstanding something.
The options are:
- 802.1X (EAP) on its own - 802.1X *and* MAC auth - MAC auth
As this is wireless, you're stuck with the 802.1X bit unless you do PSK. So you can either do it on its own, or in combination with MAC auth.
Some wireless systems will let you do PSK with MAC auth against RADIUS IIRC.
But MAC auth isn't really "auth", more like a filter with very large holes.
So as I wrote before. You can't do 802.1X/EAP MAC-auth only.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (2)
-
Luiz Fernando Mizael Meier -
Matthew Newton