Quarantining a System using Freeradius

Tue Nov 28 18:50:07 CET 2006

Jóhann B. Guðmundsson wrote:
>>
>> Is it possible to quarantine a system by placing it in different vlan
>> by OpenRadius ?
>>
>> If so can somebody guide me on the steps that can be tried .
>>
>> The situation is like this :
>> System already having an IP address , but found to be infected with a
>> virus-worm.
>> So it needs to be quarantined automatically .
>>
> 
> I think the best way to tackle this would be mac auth
> and I dont think its very smart to put the machine into "quarantine" 
> just contacted the person
> who's responsable for the machine and tell him to wipe it instead of 
> having a vlan full of infected machines...
> 
> Phil Mayers gave an good sample on how to do this

Interestingly enough, the reason I even know about rlm_passwd is that 
way back in the mists of time as that Alan DeKok gave me an extremely 
comprehensive answer to a similar query.

You'll face two issues kicking people into a "quarantine":

  1. The quarantine vlan almost certainly is not the same vlan number on 
all your NASes (if it is, you have a simple network and can skip some of 
the following)

  2. Once you have decided to "kick" a user, you need to make the NAS 
(switch) re-query for the vlan info *and* get the persons computer to 
somehow re-get a DHCP lease.

The architecture I'm planning to deploy is as follows

/etc/raddb/nas2location:

10.1.1.1:loc1
10.2.1.1:loc2

/etc/raddb/mac2zone:

00:11:22:33:44:55,OK
aa:bb:cc:dd:ee:ff,BANNED

/etc/raddb/radiusd.conf (partial!):

modules {
   nas2location {
     filename = /etc/raddb/nas2location
     format = "*NAS-IP-Address:~MyLocationAttribute"
     hashsize = 100
   }
   passwd mac2zone {
     filename = /etc/raddb/mac2zone
     format = "*Calling-Station-Id:~MyZoneAttribute"
     hashsize = 100
   }
}

authorize {
   preprocess
   nas2location
   mac2zone
   users
}

/etc/raddb/users:

# only do the following for ethernet - maybe wireless?
DEFAULT	NAS-Port-Type != Ethernet
	Fall-Through = No

# Avoid duplication
DEFAULT	
	Tunnel-Type = VLAN,
	Tunnel-Medium-Type = IEEE-802,
	Fall-Through = yes

DEFAULT	MyLocationAttribute == "loc1", MyZoneAttribute == "BANNED"
	Tunnel-Private-Group-Id = "31"

DEFAULT	MyLocationAttribute == "loc2", MyZoneAttribute == "BANNED"
	Tunnel-Private-Group-Id = "32"

DEFAULT	MyLocationAttribute == "loc1", MyZoneAttribute == "OK"
	Tunnel-Private-Group-Id = "21"

DEFAULT	MyLocationAttribute == "loc2", MyZoneAttribute == "OK"
	Tunnel-Private-Group-Id = "22"

Obviously I recommend you automatically generate all that and HUP the 
radius server when reloading *or* use SQL or LDAP or some other dynamic 
lookup (you could use an Exec-* but I was concerned about performance).

Once you decide to ban a user you need a way to kick him/her off so the 
edge switch will re-get the vlan ID and their PC will re-get an IP 
address. On wired ethernet, I recommend seeing if your switches will let 
you SNMP "set" the following OID:

ifMauAutoNegRestart.$ifIndex.$ifMauIndex = integer(1)

...if it does (e.g. 3com 4400s do) then the link will go down as autoneg 
restarts, and the mac-based vlans will be re-fetched, *and* windows will 
re-get DHCP lease.

Obviously you will need to keep track of which MAC address is on which 
switch and ifIndex, but you should be able to add logging to the above 
configuration to keep that state.

Finally, of course, your NASes (switches) will need to support MAC-based 
vlans via Radius.

Basically, yes you can do it if your NAS supports it, but you can expect 
to spend some SERIOUS time making it work well.

I hope that helps.