BYOD and base on MAC

Luc Paulin paulinster at gmail.com
Wed Jan 31 21:16:53 CET 2018


Great thanx Alan, I agree that mac can be easilly spoofed, but the goal
here is mainly to move the user's device to another vlan than corp and not
doing authentication. We may eventually move to EAP-TLS, but this is at
least a first step.

Yes I check the format and it's exacly the same ... Here's the output of
the debug section for authorized_mac.

=======
<------ LINES BEFORE REWRITE_CALLING_STATION_ID REMOVED --->
(29)     policy rewrite_calling_station_id {
(29)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(29)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(29)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(29)         update request {
(29)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(29)              --> 18-65-90-CB-4C-69
(29)           &Calling-Station-Id := 18-65-90-CB-4C-69
(29)         } # update request = noop
(29)         [updated] = updated
(29)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(29)       ... skipping else: Preceding "if" was taken
(29)     } # policy rewrite_calling_station_id = updated
(29) authorized_macs: EXPAND %{Calling-Station-ID}
(29) authorized_macs:    --> 18-65-90-CB-4C-69
(29)     [authorized_macs] = noop
(29)     if (!ok) {
(29)     if (!ok)  -> TRUE
(29)     if (!ok)  {
(29)       update reply {
(29)         Tunnel-Type := VLAN
(29)         Tunnel-Medium-Type := IEEE-802
(29)         Tunnel-Private-Group-Id := 155
(29)       } # update reply = noop
(29)     } # if (!ok)  = noop
(29)     ... skipping else: Preceding "if" was taken
(29)     [exec] = noop
(29)     policy remove_reply_message_if_eap {
(29)       if (&reply:EAP-Message && &reply:Reply-Message) {
(29)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(29)       else {
(29)         [noop] = noop
(29)       } # else = noop
(29)     } # policy remove_reply_message_if_eap = noop
(29)   } # post-auth = updated
(29) Login OK: [lpaulin] (from client clx3-fw-1 port 1 cli
18-65-90-CB-4C-69)
(29) Sent Access-Accept Id 98 from 10.250.33.157:1812 to 10.1.0.81:1507
length 0
(29)   MS-MPPE-Recv-Key =
0x13cc139e4e3c5b05b1477ec7f4ff0c93fe3bf7fd326efc8a679f1cc0e3e7d5a1
(29)   MS-MPPE-Send-Key =
0x745c0bf23f478b1009bc6645f0a1a680cb7efbaa1c852617eb04957276e55e88
(29)   EAP-Message = 0x03490004
(29)   Message-Authenticator = 0x00000000000000000000000000000000
(29)   User-Name = "lpaulin"
(29)   Tunnel-Type := VLAN
(29)   Tunnel-Private-Group-Id := "155"
(29)   Tunnel-Medium-Type := IEEE-802
(29)   Idle-Timeout := 60
(29)   Session-Timeout := 60
(29)   Termination-Action := RADIUS-Request
(29)   Juniper-Local-User-Name := "SU"
(29)   Juniper-Junosspace-Profile := "devops_users"
======

And here's the authorized_macs file content
[root at radius-corp-01_{{PROD}} raddb]# cat authorized_macs
18-65-90-CB-4C-69
Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized
for network access"

Thanx

--
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster


2018-01-31 14:59 GMT-05:00 Alan DeKok <aland at deployingradius.com>:

> On Jan 31, 2018, at 2:50 PM, Luc Paulin <paulinster at gmail.com> wrote:,
> >
> > I know that we can do a BYOD  wireless setup with freeradius base on if
> the
> > client setup was setup with certificate(EAP-TLS) or not by checking the
> > EAP-Type field. But I was wondering would it be possible to do it base on
> > MAC adresse.
>
>   You can do any checking you want, on any attribute you want.  The only
> restriction is that the attribute has to exist in the packet.
>
>   The one minor issue with MAC address is that people can spoof it.  But
> if they already have an EAP-TLS client certificate, that's less of a
> problem.
>
> > The idea here is that we would like to move user to the appropriate vlan
> > base on his device mac. If MAC address is within that list, device is
> > granted to the corp vlan, else it'll default to the BYOD clan.
>
>   Sure.
>
> > In the post-auth section I did add some lines in order to try do the
> check
> > base on mac addresse
> >
> > ========
> >  # We rewrite calling_station_id in order to do mac checkup
> >  rewrite_calling_station_id
> >
> >  # Check against the authorized_macs file
> >  authorized_macs
> >  if (!ok) {
> >    update reply {
> >      Tunnel-Type := 13
> >      Tunnel-Medium-Type := 6
> >      Tunnel-Private-Group-Id := 155
> >    }
> >  }
> >  else {
> >    update reply {
> >      Tunnel-Type := 13
> >      Tunnel-Medium-Type := 6
> >      Tunnel-Private-Group-Id := 157
> >    }
> >  }
> > ========
> >
> > However look like the authorized_macs always return noop. Am I doing
> > something wrong or something not supported?
>
>   Post the debug output.  And ensure that the MAC addresses are all in the
> same format.
>
>   i.e. you MUST put the MACs into the "authorized_macs" configuration in
> *exactly the same format* as what you see in the packet.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list