I've got an interesting problem to try to solve and was curious if such a concept is even possible with FreeRadius.
I've got to implement mac address filtering to a Cisco WiFi (WLC plus numerous LWAPPs) system that also requires Active Directory authentication of the Windows credentials of the user plus the wireless client workstation machine's AD account. Presently I'm using Microsoft IAS on a Windows 2003 server to act as my Windows AD radius server. Implementing the additional mac address filtering isn't my idea, so please refrain from questioning why. I know it really does nothing for true security, but I'm ordered to do so my authorities above me, so I must implement this mandate just because... well it's now become mandatory for my job. A problem is that the mac addresses of the wifi interfaces in all the various workstations are not always rigidly assigned to any particular laptop PC, the WiFi adapters in the set of client PCs are subject to frequent change and movement around the pool of PCs, so basically I need a simple whitelist (several hundred mac addresses) to validate against. If the incoming mac address on the authentication request is simply somewhere on the whitelist (anywhere within those hundreds of addresses), then I next need to authenticate the Windows AD credentials, and if they're good, and in a certain AD group, and their domain member workstation PC is in a certain machine account group, etc, etc, according to the set of remote access policies in the IAS server, then go ahead and "let 'em in". So, can FreeRadius be set up to perform a sort of two-phase, cascaded authentication such that the Cisco WiFi controller first sends the incoming authentication access-request to FreeRadius, which checks a big whitelist of pre-approved mac addresses, and if that tests good, then FreeRadius acts as a relay/proxy/radius client to pass the next ActiveDirectory authentication portion of the request off to my Windows IAS server, then if that part comes back good, to reassemble all the pieces-parts back together as a completed access-accept message and hand it back to the Cisco wireless system to let the wireless user in, and basically fool the Cisco WiFi system into thinking that one Radius server handled it all? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Two-phase-pass-thru-authentication-possible-tp4492840p4492840.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
