802.1x/iPSK DB access delegation.
aland at deployingradius.com
Wed Dec 29 15:17:15 CET 2021
On Dec 29, 2021, at 3:35 AM, Alex Zetaeffesse <fzetafs at gmail.com> wrote:
> I have used Freeradius with its 2.0 version for my home project few years
> back, Now I'm in charge of providing wireless access in an environment with
> a few small companies.
It would be best to upgrade to v3. It not only has more features, v2 is EOL, with no more bug fixes or security fixes.
> Problems come with non smart devices that still use PSK; I know iPSK helps
> a lot but I don't know how to delegate the management of MAC addresses. I'm
> not taking into account a text file to manage them; can we use a DB for
> iPSK too?
Sure. Why not?
> And related to the DB is there a way to manage iPSK devices in
> this way? Just one table and a value specific to each company and small web
> interface that will handle only fields specific to each company?
It depends on what you want to do, and what limitations the NAS has.
iPSK authentication is pretty much just MAC authentication, which returns a Tunnel-Password attribute to the NAS:
So you can put the MAC address into a DB, just like you do with normal users.
The difficulty is that normal users come in with User-Name like "user at example.com". MAC addresses don't have a company name associated with them.
You're likely going to have to create a custom table here, with "MAC, tunnel password, company" as columns. You can create a web interface which gives each company a view on that table. And every time a company adds a MAC address, the system *also* adds the company name automatically.
FreeRADIUS doesn't need the company name, (unless you use it for VLAN assignment), But you'll need to track the company name for the web administration system.
You probably don't want a separate table for each company. Because then FreeRADIUS would have to query each table in turn to see if the MAC is in that table.
More information about the Freeradius-Users