Help: How to authenticate additional attribute
Neal.Garber at energyeast.com
Sun Oct 15 17:33:38 CEST 2006
> when the radius server authenticates the user, or whenever it is
re-associated again to the AP,
> it will prompt the user to enter the password and location
This may prove difficult if you are using the std. Windows supplicant
caches credentials. We use WinXP with PEAP/MS-Chapv2 and I don't get
reprompted for a password when it reauthenticates. I believe Vista has
to NOT cache wireless credentials. You perhaps could also have
something delete the
reg. key where the credentials are stored - that would force it to
prompt again.. Perhaps
you are using another supplicant that won't have this issue and that you
to prompt for additional information (loc.coord.)..?? Also, if location
generally known (10,10 = bldg 10/office 10 and 100,100 equals bldg 100,
then how do you prevent users from entering the wrong coordinates in
order to bypass
your check? Even if your scheme isn't as simple as I described above,
if the location coord.
of a place is constant, over time people will learn the coordinates and
they won't be
useful as an additional security check. Are these numbers randomly
or does each set of coordinates statically refer to a specific location
(that's what I meant
when I was asking the meaning of the coordinates)? If they're random,
how will the
information be given to the users?
> Thereafter, the radius server will check on the password and the
> If either is not right, it will reject the connection.
> The server will maintain a set of legitimate location coordinates in a
> and it will be updated by another program automatically.
Well, assuming you have a way to prompt, capture and send the "location
in the radius request, I would use rlm_perl during authorize and have it
location coordinate attribute to data in the file. You can easily
return RLM_REJECT if the
user hasn't specified a valid location coordinate. If you are planning
to bury the information
inside another attribute, you should check out attr_rewrite and hints as
they have the
ability to modify/create request attributes. As a caveat, this may not
be the best approach
though as I have only been using FR for a short time.
> In the future, the coordinate may be derived by a system.
If you're trying to authorize by physical location, have you thought
to which AP's they are authorized to connect (e.g., by Huntgroup-Name or
NAS-IP-Address)? Also, Cisco AP's have a "dot11 location" config.
that could be used to automatically pass static information as part of
radius requests (each AP would always pass the same static info though
the config. was changed). If this would work for you, the user wouldn't
enter anything (and they couldn't spoof the location coordinates).
Does this help you?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users