802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
Hi! We've currently a MAC authentication running with dynamic VLANs via SQL for wired clients. We return the wished VLAN for the client by using the SQL function authorize_reply_query. We now want to add 802.1x EAP-TLS as supported authentication method. I got the setup sofar that I'm able to authenticated a client which supports it via 802.1x and the others as fallback with MAC. With MAC auth everything works but with 802.1x I'm not able to return the VLAN the switch should use. How can I tell freeradius to make a sql lookup for the reply values? And how can I use the CN of the certificate in the SQL query? I believe I need one query for MAC and one for EAP-TLS, as for one I search for the MAC address and in the other the CN ... correct? The last question is more general. How do I get the mac address for a client that is authenticating with EAP-TLS, would like to add this to the sqllog? Thx for your help! I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config authorize { eap { ok = return } redundant { sql do_not_respond #send nothing to the switch if sql fails, another server will take over } if (ok) { update control { Auth-Type := Accept } # 'handled' does not work here ok = return } } Mit freundlichen Grüßen Robert Penz ---------------------------------------------------- Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.penz@tirol.gv.at
Hello everyone I amnew to the listand neverworked withfreeradius, I need implementin mywireless networkauthenticationusingMSCHAPv2 system users, has anyonedone this? using: -Freebsd8 -Freeradius2 Marlos
Hi,
I am new to the list and never worked with freeradius, I need implement in my wireless network authentication using MSCHAPv2 system users, has anyone done this?
yes, this is a fairly standard deployment - I'm assuming your wireles will be using 802.1X (PEAP) for that MSCHAPv2 authentication? straight out of the box, FreeRADIUS will do it - you just need to put into place your own certificates. alan
On Thu, Mar 22, 2012 at 9:54 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I am new to the list and never worked with freeradius, I need implement in my wireless network authentication using MSCHAPv2 system users, has anyone done this?
yes, this is a fairly standard deployment - I'm assuming your wireles will be using 802.1X (PEAP) for that MSCHAPv2 authentication?
straight out of the box, FreeRADIUS will do it
Really? Does freebsd store passwords as cleartext or nt-hash? Otherwise I can't imagine how mschapv2 will work with system users. -- Fajar
Hi,
Really? Does freebsd store passwords as cleartext or nt-hash? Otherwise I can't imagine how mschapv2 will work with system users.
ah yes - sorry , didnt see that small phrase - system users would be a pain WHATEVER os you use as they'll be crypted in some way. the basic stuff will all be fine though alan
Alan thanks, I'lltry to seewith mysql. Marlos Em 22/03/2012 12:09, Alan Buxey escreveu:
Hi,
Really? Does freebsd store passwords as cleartext or nt-hash? Otherwise I can't imagine how mschapv2 will work with system users. ah yes - sorry , didnt see that small phrase - system users would be a pain WHATEVER os you use as they'll be crypted in some way. the basic stuff will all be fine though
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, On Thu, Mar 22, 2012 at 03:24:41PM +0100, PENZ Robert wrote:
And how can I use the CN of the certificate in the SQL query? I believe I need one query for MAC and one for EAP-TLS, as for one I search for the MAC address and in the other the CN ... correct?
Common Name of the cert is in TLS-Client-Cert-Common-Name, but only available in post-auth. However, that should be OK to update the reply to set a VLAN.
I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config
You'll need to upgrade to 2.1.12. This is too old and doesn't have the above attribute.
The last question is more general. How do I get the mac address for a client that is authenticating with EAP-TLS, would like to add this to the sqllog? Thx for your help!
Calling-Station-Id, as usual. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi! Thx for the fast response! But how to I execute the SQL authorize_reply_query query after I did a EAP authentication? I don't do that currently in post-auth. I just have the sql modul activated in authorize. Or would it be anyway a better Idea to have more than one issuers and I return the VLAN data based on that? E.g. one issuer for the PC net and one for the printer net? Can I use the issuer in a SQL query? As I've different switch types which need different responses. I use a SQL lookup with the NAS IP with a switch type table to get the correct response. Mit freundlichen Grüßen Robert Penz -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+robert.penz=tirol.gv.at@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv.at@lists.freeradius.org] Im Auftrag von Matthew Newton Gesendet: Donnerstag, 22. März 2012 15:48 An: FreeRadius users mailing list Betreff: Re: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs Hi, On Thu, Mar 22, 2012 at 03:24:41PM +0100, PENZ Robert wrote:
And how can I use the CN of the certificate in the SQL query? I believe I need one query for MAC and one for EAP-TLS, as for one I search for the MAC address and in the other the CN ... correct?
Common Name of the cert is in TLS-Client-Cert-Common-Name, but only available in post-auth. However, that should be OK to update the reply to set a VLAN.
I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config
You'll need to upgrade to 2.1.12. This is too old and doesn't have the above attribute.
The last question is more general. How do I get the mac address for a client that is authenticating with EAP-TLS, would like to add this to the sqllog? Thx for your help!
Calling-Station-Id, as usual. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, On Thu, Mar 22, 2012 at 04:27:14PM +0100, PENZ Robert wrote:
But how to I execute the SQL authorize_reply_query query after I did a EAP authentication? I don't do that currently in post-auth. I just have the sql modul activated in authorize.
Sorry, can't help here. I've never done any SQL in FreeRADIUS. But my previous comments apply. You can set any VLANs based on calling-station-id or other normal attributes in authorize or post-auth, but if you want to set VLANs based on the certificate subject special attributes, you'll need to upgrade to 2.1.12 and do it in post-auth. When 3.x arrives, there is a new feature that lets you do it in an eap-tls virtual server authorize section, but that's not available yet. Still, there should be no need for that unless you want to reject connections based on TLS certificate data, rather than just set the VLAN. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 22/03/12 15:27, PENZ Robert wrote:
Hi!
Thx for the fast response!
But how to I execute the SQL authorize_reply_query query after I did a EAP authentication? I don't do that currently in post-auth. I just have the sql modul activated in authorize.
Like this: post-auth { if (TLS-Client-Cert ~ /.../) { update reply { Tunnel-Private-Group-Id := "%{sql:query goes here}" } } } You can run any SQL query you like as part of an expansion. The SQL query can reference any attributes you like, using standard attribute expansion. See "man unlang".
participants (6)
-
Alan Buxey -
Fajar A. Nugraha -
Marlos Alex -
Matthew Newton -
PENZ Robert -
Phil Mayers