[EMAIL PROTECTED] wrote:
> I have a wireless LAN switch which has access points ( APs ) connected to
> it. When a laptop first connects to an AP that AP sends a RADIUS request
> through the WLAN switch to the RADIUS server, passing the MAC address of
> the laptop as the User-Name and also as the User-Password. I have a simple
> flat file with all the allowed MAC addresses in it, and the passwd module
> is being used to verify that the MAC address is in that flat file. This
> works well.
OK...
> Now because the WLAN switch is configured to use RADIUS to authenticate
> laptops, it also uses it to authenticate logins to the switch itself, I
> haven't found a way around this and don't think there is one.
The "access point login" packets will be different from the "mac
address login" packets. Use those differences as a key to decide when
to allow MAC address authentication.
> 2. The proper administrators, and the default administration login itself,
> have to be put in to the flat file I mentioned above to allow the
> administrators access to the switch. The switch won't use its own internal
> user and password list. This causes another security breach as we would
> have to leave administrator logins and passwords lying around in flat
> files, which is extremely insecure and just begging to be broken.
So use crypt'd passwords in FreeRADIUS.
> Investigation reveals that when the AP passes the RADIUS request in, the
> request sets 'NAS-Port-Type = Wireless-802.11' and the NAS-Port-ID to the
> correct port value, while when the switch requests a login to be
> authenticated the request contains 'NAS-Port-Type = Virtual', and doesn't
> have the NAS-Port-ID or NAS-Indentifier parameters set.
There you go.
> So, it seems I have lots of information to help me define if a RADIUS
> request is coming from an access point (which requires MAC address
> validation) or from the switch (which requires login username and password
> validation), but I can't find a way of verifying via passwd OR Unix module,
> only via both.
See doc/Autz-Type
In the "users" file, do:
DEFAULT NAS-Port-Type == Virtual, Auth-Type := System
DEFAULT NAS-Port-Type == Wireless-802.11, Autz-Type := bar
DEFAULT Auth-Type := Reject
Then in radiusd.conf, "authorize" section, add at the bottom:
Autz-type bar {
passwd
}
And it should work.
> Is what I am after possible, or do I just not understand the way RADIUS
> servers work?
It's possible. You've described the problem and the information you
have well. All you need is pointers to the docs & sample configurations.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
