802.1x/iPSK DB access delegation.

Alex Zetaeffesse fzetafs at gmail.com
Wed Dec 29 16:15:50 CET 2021

Thanks Alan,

On Wed, Dec 29, 2021 at 3:17 PM Alan DeKok <aland at deployingradius.com>

> On Dec 29, 2021, at 3:35 AM, Alex Zetaeffesse <fzetafs at gmail.com> wrote:
> > I have used Freeradius with its 2.0 version for my home project few years
> > back, Now I'm in charge of providing wireless access in an environment
> with
> > a few small companies.
>   It would be best to upgrade to v3.  It not only has more features, v2 is
> EOL, with no more bug fixes or security fixes.

Indeed, I didn't mention it but of course that's the way to go.

> > Problems come with non smart devices that still use PSK; I know iPSK
> helps
> > a lot but I don't know how to delegate the management of MAC addresses.
> I'm
> > not taking into account a text file to manage them; can we use a DB for
> > iPSK too?
>   Sure.  Why not?
> > And related to the DB is there a way to manage iPSK devices in
> > this way? Just one table and a value specific to each company and small
> web
> > interface that will handle only fields specific to each company?
>   It depends on what you want to do, and what limitations the NAS has.

I'm doing some tests with the vWLC 9800 and a couple of 3700 APs.

>   iPSK authentication is pretty much just MAC authentication, which
> returns a Tunnel-Password attribute to the NAS:
> https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication
>    So you can put the MAC address into a DB, just like you do with normal
> users.
>    The difficulty is that normal users come in with User-Name like "
> user at example.com".  MAC addresses don't have a company name associated
> with them.
>    You're likely going to have to create a custom table here, with "MAC,
> tunnel password, company" as columns.  You can create a web interface which
> gives each company a view on that table.  And every time a company adds a
> MAC address, the system *also* adds the company name automatically.

Exactly, I would return the VLAN attribute too in order to guarantee
privacy among the companies.

>   FreeRADIUS doesn't need the company name, (unless you use it for VLAN
> assignment),  But you'll need to track the company name for the web
> administration system.

Of course, I'll define an admin for each company in charge of administering
802.1x capable and non-capable devices and grant access to him/her to the
web GUI.

>   You probably don't want a separate table for each company.  Because then
> FreeRADIUS would have to query each table in turn to see if the MAC is in
> that table.

I didn't know FR could query different sources of
authentication/authorization sequentially (especially if tables are on
different servers) but I guess that would introduce a lag in the response
time back to the NAS
Maybe a SQL proxy (that's on my side)? Then the first reply would be
served. And uh by writing this I realized I could expose the service to a
potential DoS for specific MAC addresses.
Ok, much better a single table in a single DB where checks before storing a
record can be done simply and quickly!

>   Alan DeKok.



More information about the Freeradius-Users mailing list