Using NAS-Port-Type to allow or disallow?

Martin.Ward at Martin.Ward at
Thu Sep 22 16:22:26 CEST 2005

Hi all,

I have succumbed and purchased the RADIUS book from O'Reilly, but it'll be
a few days in coming so I going to have to bug you all again.

I'm still having problems understanding if I can allow some users access to
some equipment and others to other kit. I thought I could do it but I'm
having real problems, probably with my lack of understanding...

I have a wireless LAN switch which has access points ( APs ) connected to
it. When a laptop first connects to an AP that AP sends a RADIUS request
through the WLAN switch to the RADIUS server, passing the MAC address of
the laptop as the User-Name and also as the User-Password. I have a simple
flat file with all the allowed MAC addresses in it, and the passwd module
is being used to verify that the MAC address is in that flat file. This
works well.

Now because the WLAN switch is configured to use RADIUS to authenticate
laptops, it also uses it to authenticate logins to the switch itself, I
haven't found a way around this and don't think there is one. This means
that you can gain access to the WLAN switch by using the MAC address of
your laptop as the user name and password, albeit with fairly high
restrictions on what you can do. This is a security problem for two

1. Obviously anyone figuring this out can gain access to kit they should
not have access to (there are other ways of stopping this, but you'll
excuse me if I don't mention them here).
2. The proper administrators, and the default administration login itself,
have to be put in to the flat file I mentioned above to allow the
administrators access to the switch. The switch won't use its own internal
user and password list. This causes another security breach as we would
have to leave administrator logins and passwords lying around in flat
files, which is extremely insecure and just begging to be broken. I have
been trying to get administrator access to authenticate via the Unix module
since the RADIUS server is on a Linux box. Alas I have been unable to get
this to work.

Investigation reveals that when the AP passes the RADIUS request in, the
request sets 'NAS-Port-Type = Wireless-802.11' and the NAS-Port-ID to the
correct port value, while when the switch requests a login to be
authenticated the request contains 'NAS-Port-Type = Virtual', and doesn't
have the NAS-Port-ID or NAS-Indentifier parameters set.

So, it seems I have lots of information to help me define if a RADIUS
request is coming from an access point (which requires MAC address
validation) or from the switch (which requires login username and password
validation), but I can't find a way of verifying via passwd OR Unix module,
only via both.

Is what I am after possible, or do I just not understand the way RADIUS
servers work?

Senior Network Administrator, NEC (Europe) Ltd.
Acton extension: 3379
NEC*Net: 800-44-21-3379
Direct: +44 20 8752 3379
Fax: +44 20 8752 3389
Mobile: +44 7721 869 356

More information about the Freeradius-Users mailing list