Wildcards in Username and Passwd

Jason Montgomery jmont at preferredtechnology.com
Wed May 10 23:25:52 CEST 2006


You are correct about being able to sneeze and break into the network.
But luckily all machines with that prefix will be placed into a Ethernet
Only VLAN.  The Devices with that prefix belong to a Ethernet based
phone system (www.3com.com/nbx) so anyone who breaks into that vlan will
only be able to see the broadcast Ethernet packets the phones are
sending out occasionally.  As a extra layer of security the phone system
itself will only communicate with phones that have already been
configured in its internal mac table list.

Thanks for the help

Jason


-----Original Message-----
From:
freeradius-users-bounces+jmont=preferredtechnology.com at lists.freeradius.
org
[mailto:freeradius-users-bounces+jmont=preferredtechnology.com at lists.fre
eradius.org] On Behalf Of Dennis Skinner
Sent: Wednesday, May 10, 2006 3:54 PM
To: FreeRadius users mailing list
Subject: Re: Wildcards in Username and Passwd

Jason Montgomery wrote:
> Hello I have a customer who would like to have 100% MAC address lock
> down on their network.   To do that we are able to have the Ethernet
> Switches Send the Device MAC address as the Username and password to
the
> Radius Server.   The question I have is on the radius server is it
> possible to set a wildcard so that any device showing "00-E0-BB" as
the
> MAC Address prefix will automatically be accepted then I can throw the
> usual variables back at the port.  If this is possible then I can
avoid
> having to enter 300 Devices into the Radius table.

This may give you some ideas:

http://wiki.freeradius.org/index.php/Adding%2C_Removing%2C_Modifying_Att
ributes_for_further_processing

But, I should warn you, that anyone wanting to break into your
customers' network can sneeze and have a machine fake a MAC address.
Hell, some Cisco equipment even have a builtin command to do it (handy
for replacing/upgrading routers without messing up local ARP tables).
Hopefully there is some other form of authentication.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list