Jóhann B. Guðmundsson wrote:
Is it possible to quarantine a system by placing it in different vlan
by OpenRadius ?
If so can somebody guide me on the steps that can be tried .
The situation is like this :
System already having an IP address , but found to be infected with a
virus-worm.
So it needs to be quarantined automatically .
I think the best way to tackle this would be mac auth
and I dont think its very smart to put the machine into "quarantine"
just contacted the person
who's responsable for the machine and tell him to wipe it instead of
having a vlan full of infected machines...
Phil Mayers gave an good sample on how to do this
Interestingly enough, the reason I even know about rlm_passwd is that
way back in the mists of time as that Alan DeKok gave me an extremely
comprehensive answer to a similar query.
You'll face two issues kicking people into a "quarantine":
1. The quarantine vlan almost certainly is not the same vlan number on
all your NASes (if it is, you have a simple network and can skip some of
the following)
2. Once you have decided to "kick" a user, you need to make the NAS
(switch) re-query for the vlan info *and* get the persons computer to
somehow re-get a DHCP lease.
The architecture I'm planning to deploy is as follows
/etc/raddb/nas2location:
10.1.1.1:loc1
10.2.1.1:loc2
/etc/raddb/mac2zone:
00:11:22:33:44:55,OK
aa:bb:cc:dd:ee:ff,BANNED
/etc/raddb/radiusd.conf (partial!):
modules {
nas2location {
filename = /etc/raddb/nas2location
format = "*NAS-IP-Address:~MyLocationAttribute"
hashsize = 100
}
passwd mac2zone {
filename = /etc/raddb/mac2zone
format = "*Calling-Station-Id:~MyZoneAttribute"
hashsize = 100
}
}
authorize {
preprocess
nas2location
mac2zone
users
}
/etc/raddb/users:
# only do the following for ethernet - maybe wireless?
DEFAULT NAS-Port-Type != Ethernet
Fall-Through = No
# Avoid duplication
DEFAULT
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Fall-Through = yes
DEFAULT MyLocationAttribute == "loc1", MyZoneAttribute == "BANNED"
Tunnel-Private-Group-Id = "31"
DEFAULT MyLocationAttribute == "loc2", MyZoneAttribute == "BANNED"
Tunnel-Private-Group-Id = "32"
DEFAULT MyLocationAttribute == "loc1", MyZoneAttribute == "OK"
Tunnel-Private-Group-Id = "21"
DEFAULT MyLocationAttribute == "loc2", MyZoneAttribute == "OK"
Tunnel-Private-Group-Id = "22"
Obviously I recommend you automatically generate all that and HUP the
radius server when reloading *or* use SQL or LDAP or some other dynamic
lookup (you could use an Exec-* but I was concerned about performance).
Once you decide to ban a user you need a way to kick him/her off so the
edge switch will re-get the vlan ID and their PC will re-get an IP
address. On wired ethernet, I recommend seeing if your switches will let
you SNMP "set" the following OID:
ifMauAutoNegRestart.$ifIndex.$ifMauIndex = integer(1)
...if it does (e.g. 3com 4400s do) then the link will go down as autoneg
restarts, and the mac-based vlans will be re-fetched, *and* windows will
re-get DHCP lease.
Obviously you will need to keep track of which MAC address is on which
switch and ifIndex, but you should be able to add logging to the above
configuration to keep that state.
Finally, of course, your NASes (switches) will need to support MAC-based
vlans via Radius.
Basically, yes you can do it if your NAS supports it, but you can expect
to spend some SERIOUS time making it work well.
I hope that helps.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
