User + Device Authentication to Specific Network

[Alan DeKok]

On Jun 7, 2019, at 3:06 PM, Duncan X Simpson <virtualdxs at gmail.com> wrote:
> I have a FreeRADIUS server with a SQL backend. It's running authentication
> for an 802.1X wifi network, and soon our VPN. Currently, when somebody logs
> in it drops them on our main VLAN (not retrieved from RADIUS yet; set
> statically on the NAS). I have set up groups that will be tied to VLANs,
> but I would like to increase security by doing this:
> 
> User has permissions to access either VLAN 1 or 2, 2 being a privileged
> VLAN, but only pre-approved devices are allowed on VLAN2. There is a list
> (ideally in SQL) of MAC addresses of these devices.
> 
> - User successfully authenticates as user
> - FreeRADIUS does not find the MAC address of the client in the list
> - User gets dropped onto VLAN 1
> 
> - User successfully authenticates as user
> - FreeRADIUS finds the MAC address of the client in the list
> - User gets dropped onto VLAN 2

  That should be pretty simple.  Put the MAC addresses into a database, and have FreeRADIUS check the database.

	if ("%{sql:SELECT MAC from known_macs WHERE MAC = %{Calling-Station-Id}") {
		... add to VLAN 2 ...
	}
	else {
		... add to VLAN 1 ...
	}

  You'll have to create your own table, and do some more tests.  But that's the basic idea.

> It would also work if the user needed to add a suffix, say .privileged, in
> order to get to VLAN2 (a la hints file) and it rejected them entirely
> rather than dropping them on VLAN1 if they provided that but the device
> wasn't authorized.

  Mangling the user name is usually a bad idea.

  Alan DeKok.