MAC authentication Auth Key Mgmt
Hi: I have deployed a Wireless network that authenticates with WPA2 with 802.1x key mgmt. Radius is configured to validate users against Active Directory. Our company was recently bought out and we routinely have employees of the parent company come to our office and they need to use the wireless network (eventually wired as well). The integration of our domains is a few months out still. So the problem I have is that since 802.1x is tied into Windows user credentials they are not able to authenticate as their users are not in our AD domain. Therefore I wanted to authenticate them via their MAC address. So I read up on authenticating with MACS and setup my default vhost as follows: authorized_macs if (ok) { # if MAC is known ACCEPT update control { Auth-Type := Accept } } else { eap { ok = return } update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 } if (Ldap-Group == "netCoreClass-IT") { update reply { Tunnel-Private-Group-Id:1 := 102 } } So authenticate if the MAC is known, else go through the normal authentication process of validating their AD credentials. This appears to work, sort of. In that it returns an Access-Accept if the MAC is known. However, and there is where my knowledge is lacking, I don't think it is then agreeing on an encryption key. When validating with credentials (and running radius in debug mode) there are many more Access Challenge and Response packets. Which I am assuming are message to generate and agree on the management key. When validation occurs just on the MAC address I don't see all those extra messages and the device never fully authenticates on the WIFI. The Access-Accept response when using credentials is: Sending Access-Accept of id 134 to 192.168.102.7 port 32769 Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = "102" User-Name = "mceroni" MS-MPPE-Recv-Key = 0x6118d49fe07452919f832d8cb45c721f39e693cdb05270d48c1d74c8d67e975e MS-MPPE-Send-Key = 0xcc7af786ff05d3d840ffc5752e46ea33ab3c933ab50b300a6e4f37aa47fc4293 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 Whereas with MAC it is: Sending Access-Accept of id 135 to 192.168.102.7 port 32769 Reply-Message = "Testing Device MAC Address e8-99-c4-7c-16-b9" Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "102" Missing the MS-MPPE parameters, which after googling I believe have to do with the authentication key used for encryption. Thanks in advance
Matthew Ceroni wrote:
Our company was recently bought out and we routinely have employees of the parent company come to our office and they need to use the wireless network (eventually wired as well). The integration of our domains is a few months out still. So the problem I have is that since 802.1x is tied into Windows user credentials they are not able to authenticate as their users are not in our AD domain.
Why not proxy those requests to he parent RADIUS server? Or do they even have a parent RADIUS server... ?
Therefore I wanted to authenticate them via their MAC address. So I read up on authenticating with MACS and setup my default vhost as follows:
authorized_macs if (ok) { # if MAC is known ACCEPT update control { Auth-Type := Accept }
That won't really work. The entire point of EAP is to have a secure authentication method. You can't bypass it.
This appears to work, sort of. In that it returns an Access-Accept if the MAC is known. However, and there is where my knowledge is lacking, I don't think it is then agreeing on an encryption key.
Exactly. It's *impossible* to bypass the encryption key step. EAP is designed to make it impossible.
Missing the MS-MPPE parameters, which after googling I believe have to do with the authentication key used for encryption.
Yes. And you can't just generate it. You MUST do the complete EAP exchange. Your best bet is to proxy those requests to the parent RADIUS server. Or, set up a separate guest SSID, and do MAC authentication on it. Alan DeKok.
Thanks. I figured that would be the answer. I will come up with a solution based on your recommendations. On Oct 16, 2013 4:51 PM, "Alan DeKok" <aland@deployingradius.com> wrote:
Matthew Ceroni wrote:
Our company was recently bought out and we routinely have employees of the parent company come to our office and they need to use the wireless network (eventually wired as well). The integration of our domains is a few months out still. So the problem I have is that since 802.1x is tied into Windows user credentials they are not able to authenticate as their users are not in our AD domain.
Why not proxy those requests to he parent RADIUS server? Or do they even have a parent RADIUS server... ?
Therefore I wanted to authenticate them via their MAC address. So I read up on authenticating with MACS and setup my default vhost as follows:
authorized_macs if (ok) { # if MAC is known ACCEPT update control { Auth-Type := Accept }
That won't really work. The entire point of EAP is to have a secure authentication method. You can't bypass it.
This appears to work, sort of. In that it returns an Access-Accept if the MAC is known. However, and there is where my knowledge is lacking, I don't think it is then agreeing on an encryption key.
Exactly. It's *impossible* to bypass the encryption key step. EAP is designed to make it impossible.
Missing the MS-MPPE parameters, which after googling I believe have to do with the authentication key used for encryption.
Yes. And you can't just generate it. You MUST do the complete EAP exchange.
Your best bet is to proxy those requests to the parent RADIUS server. Or, set up a separate guest SSID, and do MAC authentication on it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Oct 16, 2013 at 05:36:14PM -0700, Matthew Ceroni wrote:
Thanks. I figured that would be the answer. I will come up with a solution based on your recommendations.
If you have access to both domains then you should be able to auth against one, and if that fails, try the other. It works best if there is a trust relationship between the domains, so your RADIUS server only has to be joined to one domain. Otherwise you should be able to run two instances of samba, each joined to the different domain, and then try each auth against both. If you're using EAP-TTLS then you have access to the plaintext password, so can auth againt the parent domain's LDAP if you're not actually joined. Nasty, but it will work. If this is too complicated, and they don't have their own RADIUS server, then you should be able to set up a second server that is joined to their domain, and then proxy to that keyed off the realm, or the form of the username, or the MAC address, etc. (I'd try and find something that lets you identify the distinct groups of users, to save having to manually maintain a list of MAC addresses - even if it's "add @parentdomain to your username" or similar. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Matthew Ceroni -
Matthew Newton