FreeRADIUS Authentication/Authorization

Luiz Fernando Mizael Meier lfmmeier at gmail.com
Wed Nov 9 13:45:49 CET 2016


Hello Matthew!

Today we have an PSK SSID and it is a mess. We change the password and
after a week the whole world already know the password again.

Let me clarify our internal situation, then you can give me some ideas.

This enviroment is intended to run some kind of BYOD thing. Today, we have
2 SSIDs running in all the sites: 1 for clients(that leads directly to te
internet without passing over our corporative network) and another
for employee use (with certificate validation, just computers).

Now we need to give users the possibility to have access to WhatsApp for
sales in their personal cellphone. Wondering in a way to give them access
to the internet and have some control of devices, we though in FreeRADIUS
in the way I explained before. No problem untill then.

Now we have some computers to run specific softwares. This machines aren't
joined our domain and we don't want them to. They are just a terminal for
specific use only. The problem with the PSK is the security.


If we could validate this machines via mac and not asking for
username/password would be the perfect scenario. I though I could do this
authorization based in the link below, but I think I am misunderstanding
something.
https://wiki.freeradius.org/guide/mac-auth#mac-auth-and-802-1x_raddb-sites-available-default

Luiz


2016-11-09 10:24 GMT-02:00 Matthew Newton <mcn4 at leicester.ac.uk>:

> On Wed, Nov 09, 2016 at 10:17:06AM -0200, Luiz Fernando Mizael Meier wrote:
> > We have an enviroment with FreeRADIUS working perfectly. Today, we
> > authenticate users against an Active Directory with domain credentials.
> ...
> > wifi without having an AD credential. In this case I wonder if it
> possible
>
> You can't do only MAC auth with EAP on wireless.
>
> The closest you can get is probably to have a well-known shared
> username/password for those devices. But why?
>
> Or do a backwards step and spin up a separate PSK SSID.
>
> You can add local users in FreeRADIUS without having to auth
> against AD if you need to do that.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list