802.1x/iPSK DB access delegation.
fzetafs at gmail.com
Wed Dec 29 16:15:50 CET 2021
On Wed, Dec 29, 2021 at 3:17 PM Alan DeKok <aland at deployingradius.com>
> On Dec 29, 2021, at 3:35 AM, Alex Zetaeffesse <fzetafs at gmail.com> wrote:
> > I have used Freeradius with its 2.0 version for my home project few years
> > back, Now I'm in charge of providing wireless access in an environment
> > a few small companies.
> It would be best to upgrade to v3. It not only has more features, v2 is
> EOL, with no more bug fixes or security fixes.
Indeed, I didn't mention it but of course that's the way to go.
> > Problems come with non smart devices that still use PSK; I know iPSK
> > a lot but I don't know how to delegate the management of MAC addresses.
> > not taking into account a text file to manage them; can we use a DB for
> > iPSK too?
> Sure. Why not?
> > And related to the DB is there a way to manage iPSK devices in
> > this way? Just one table and a value specific to each company and small
> > interface that will handle only fields specific to each company?
> It depends on what you want to do, and what limitations the NAS has.
I'm doing some tests with the vWLC 9800 and a couple of 3700 APs.
> iPSK authentication is pretty much just MAC authentication, which
> returns a Tunnel-Password attribute to the NAS:
> So you can put the MAC address into a DB, just like you do with normal
> The difficulty is that normal users come in with User-Name like "
> user at example.com". MAC addresses don't have a company name associated
> with them.
> You're likely going to have to create a custom table here, with "MAC,
> tunnel password, company" as columns. You can create a web interface which
> gives each company a view on that table. And every time a company adds a
> MAC address, the system *also* adds the company name automatically.
Exactly, I would return the VLAN attribute too in order to guarantee
privacy among the companies.
> FreeRADIUS doesn't need the company name, (unless you use it for VLAN
> assignment), But you'll need to track the company name for the web
> administration system.
Of course, I'll define an admin for each company in charge of administering
802.1x capable and non-capable devices and grant access to him/her to the
> You probably don't want a separate table for each company. Because then
> FreeRADIUS would have to query each table in turn to see if the MAC is in
> that table.
I didn't know FR could query different sources of
authentication/authorization sequentially (especially if tables are on
different servers) but I guess that would introduce a lag in the response
time back to the NAS
Maybe a SQL proxy (that's on my side)? Then the first reply would be
served. And uh by writing this I realized I could expose the service to a
potential DoS for specific MAC addresses.
Ok, much better a single table in a single DB where checks before storing a
record can be done simply and quickly!
> Alan DeKok.
More information about the Freeradius-Users