Using NAS-Port-Type to allow or disallow?

Alan DeKok aland at ox.org
Thu Sep 22 20:43:05 CEST 2005 

Martin.Ward at uk.neceur.com wrote:
> I have a wireless LAN switch which has access points ( APs ) connected to
> it. When a laptop first connects to an AP that AP sends a RADIUS request
> through the WLAN switch to the RADIUS server, passing the MAC address of
> the laptop as the User-Name and also as the User-Password. I have a simple
> flat file with all the allowed MAC addresses in it, and the passwd module
> is being used to verify that the MAC address is in that flat file. This
> works well.

  OK...

> Now because the WLAN switch is configured to use RADIUS to authenticate
> laptops, it also uses it to authenticate logins to the switch itself, I
> haven't found a way around this and don't think there is one.

  The "access point login" packets will be different from the "mac
address login" packets.  Use those differences as a key to decide when
to allow MAC address authentication.

> 2. The proper administrators, and the default administration login itself,
> have to be put in to the flat file I mentioned above to allow the
> administrators access to the switch. The switch won't use its own internal
> user and password list. This causes another security breach as we would
> have to leave administrator logins and passwords lying around in flat
> files, which is extremely insecure and just begging to be broken.

  So use crypt'd passwords in FreeRADIUS.

> Investigation reveals that when the AP passes the RADIUS request in, the
> request sets 'NAS-Port-Type = Wireless-802.11' and the NAS-Port-ID to the
> correct port value, while when the switch requests a login to be
> authenticated the request contains 'NAS-Port-Type = Virtual', and doesn't
> have the NAS-Port-ID or NAS-Indentifier parameters set.

  There you go.

> So, it seems I have lots of information to help me define if a RADIUS
> request is coming from an access point (which requires MAC address
> validation) or from the switch (which requires login username and password
> validation), but I can't find a way of verifying via passwd OR Unix module,
> only via both.

  See doc/Autz-Type

  In the "users" file, do:

DEFAULT	 NAS-Port-Type == Virtual, Auth-Type := System

DEFAULT	 NAS-Port-Type == Wireless-802.11, Autz-Type := bar

DEFAULT	 Auth-Type := Reject

  Then in radiusd.conf, "authorize" section, add at the bottom:

  Autz-type bar {
	    passwd
  }

  And it should work.

> Is what I am after possible, or do I just not understand the way RADIUS
> servers work?

  It's possible.  You've described the problem and the information you
have well.  All you need is pointers to the docs & sample configurations.

  Alan DeKok.

More information about the Freeradius-Users mailing list