User + Device Authentication to Specific Network

Duncan X Simpson virtualdxs at gmail.com
Fri Jun 7 21:06:17 CEST 2019


Let me preface this by saying I'm fairly new to network administration
(around a year of experience). I have an idea of what I want to do, but it
may very well not be possible, a good idea or even a sane one.

I have a FreeRADIUS server with a SQL backend. It's running authentication
for an 802.1X wifi network, and soon our VPN. Currently, when somebody logs
in it drops them on our main VLAN (not retrieved from RADIUS yet; set
statically on the NAS). I have set up groups that will be tied to VLANs,
but I would like to increase security by doing this:

User has permissions to access either VLAN 1 or 2, 2 being a privileged
VLAN, but only pre-approved devices are allowed on VLAN2. There is a list
(ideally in SQL) of MAC addresses of these devices.

 - User successfully authenticates as user
 - FreeRADIUS does not find the MAC address of the client in the list
 - User gets dropped onto VLAN 1

 - User successfully authenticates as user
 - FreeRADIUS finds the MAC address of the client in the list
 - User gets dropped onto VLAN 2

It would also work if the user needed to add a suffix, say .privileged, in
order to get to VLAN2 (a la hints file) and it rejected them entirely
rather than dropping them on VLAN1 if they provided that but the device
wasn't authorized.

Is there a way to accomplish this? I welcome any advice, suggestions,
criticism, etc.

Duncan X Simpson, K7DXS
Removal of this tagline is a violation of Federal Law.


More information about the Freeradius-Users mailing list