Hi all, I have succumbed and purchased the RADIUS book from O'Reilly, but it'll be a few days in coming so I going to have to bug you all again.
I'm still having problems understanding if I can allow some users access to some equipment and others to other kit. I thought I could do it but I'm having real problems, probably with my lack of understanding... I have a wireless LAN switch which has access points ( APs ) connected to it. When a laptop first connects to an AP that AP sends a RADIUS request through the WLAN switch to the RADIUS server, passing the MAC address of the laptop as the User-Name and also as the User-Password. I have a simple flat file with all the allowed MAC addresses in it, and the passwd module is being used to verify that the MAC address is in that flat file. This works well. Now because the WLAN switch is configured to use RADIUS to authenticate laptops, it also uses it to authenticate logins to the switch itself, I haven't found a way around this and don't think there is one. This means that you can gain access to the WLAN switch by using the MAC address of your laptop as the user name and password, albeit with fairly high restrictions on what you can do. This is a security problem for two reasons: 1. Obviously anyone figuring this out can gain access to kit they should not have access to (there are other ways of stopping this, but you'll excuse me if I don't mention them here). 2. The proper administrators, and the default administration login itself, have to be put in to the flat file I mentioned above to allow the administrators access to the switch. The switch won't use its own internal user and password list. This causes another security breach as we would have to leave administrator logins and passwords lying around in flat files, which is extremely insecure and just begging to be broken. I have been trying to get administrator access to authenticate via the Unix module since the RADIUS server is on a Linux box. Alas I have been unable to get this to work. Investigation reveals that when the AP passes the RADIUS request in, the request sets 'NAS-Port-Type = Wireless-802.11' and the NAS-Port-ID to the correct port value, while when the switch requests a login to be authenticated the request contains 'NAS-Port-Type = Virtual', and doesn't have the NAS-Port-ID or NAS-Indentifier parameters set. So, it seems I have lots of information to help me define if a RADIUS request is coming from an access point (which requires MAC address validation) or from the switch (which requires login username and password validation), but I can't find a way of verifying via passwd OR Unix module, only via both. Is what I am after possible, or do I just not understand the way RADIUS servers work? |\/|artin -- Senior Network Administrator, NEC (Europe) Ltd. Acton extension: 3379 NEC*Net: 800-44-21-3379 Direct: +44 20 8752 3379 Fax: +44 20 8752 3389 Mobile: +44 7721 869 356 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
