Quarantining a System using Freeradius

"Jóhann B. Guðmundsson" johannbg at hi.is
Tue Nov 28 11:45:27 CET 2006

Dev Anand wrote:
> Hi All ,
> Is it possible to quarantine a system by placing it in different vlan
> by OpenRadius ?
> If so can somebody guide me on the steps that can be tried .
> The situation is like this :
> System already having an IP address , but found to be infected with a
> virus-worm.
> So it needs to be quarantined automatically .
> Thanks in advance,
> -Deva
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

I think the best way to tackle this would be mac auth
and I dont think its very smart to put the machine into "quarantine" 
just contacted the person
who's responsable for the machine and tell him to wipe it instead of 
having a vlan full of infected machines...

Phil Mayers gave an good sample on how to do this

<--- snip -->

The man page is pretty clear

Do something like:

modules {
  passwd mac2ok {
    filename = /etc/raddb/mac2ok
    format = "*Calling-Station-Id:~My-Local-String"
    hashsize = 100

  # other modules

authorize {
  # other modules

Make "/etc/raddb/mac2ok" read:

# macaddress:ok


...then in "users" put:

DEFAULT    My-Local-String != "ok", Auth-Type := Reject
    Reply-Message = "calling station id not allowed",
    Fall-Through = No

# Other config items

Depending on the version of the server, you might need the following in 

ATTRIBUTE    My-Local-String        3000    string

...where 3000 can be any number between 3000 and 4000 and 
My-Local-String is an arbitrary name you can use for a local config 

<-- snip -->

Then just create an script to add and remove  macaddresses to the file 
/etc/raddb/mac2ok ....

Best regards
                     Johann B.

More information about the Freeradius-Users mailing list