Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
i am working on a project to deploy mac-based authentication via radius server.
the network is a "WIRED" LAN,Although the Users will connect to the cisco router via point-to-point wireless connection.
the users,radius server and LAN interface of the router will all be connected to a switch (i hope the network layout is clear).The other interface of the router ultimately connects to the internet.
i believe i have successfully installed and configured the radius server (using the radtest utility to check)
my major pain is how to configure the NAS. The NAS is a cisco router.How do i configure the NAS to forward mac addresses to the radius server without asking for username/password?
i saw this configuration somewhere:
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default wait-start group radius
aaa accounting connection default start-stop group radius
in the above, i believe i have to make changes to the above configuration so that the NAS will forward mac addresses to radius server without prompting the user for anything (i.e username/password), but i dont know what and howto.
PS: the radius server uses mysql as its backend.i also know that the mac-addresses of the users is stored as the username/password in the radcheck table.
if you're talking about the router doing the authentication then that's not the device that would be doing it. 802.1x authentication is done at the lower level of the network, i.e the wired switch or the wireless AP, not the router. indeed why would you want the router to control this? By the time the router can have an opinion about this, you've already got the rogue client happily chatting away on the local subnet, which presumably is not what you want. I'll admit i'm a little wet behind the ears with the possibilities, but i think that what you're probably after is dhcp snooping on the router. this watches dhcp traffic and uses the dhcp req and offers to build a list of valid mac addresses implicitly. if the router is being asked to route traffic from a client who it has not seen a dhcp request go to, or you have not statically added the mac as a trusted non-dchp source, then the router can drop packets and such like. in this scenario it would be the dhcp server doing the mac filtering, which is real simple with standard isc-dhcp. infact you probably wouldn't want MAC filtering anyway, a secret user-class id would probably suffice it... effectively it'd be a "password" for the dhcp server, albeit a very simple one.
the alternative of which you may have half got, is, as mentioned above, 802.1x, where the layer 2 network device interacts with the prospective client to authenticate themselves with either a user level uid/pwd, a machine level uid/pwd or a certificate. this then would go off to radius and be authenticated, but it's the EAP interactions that are required here, which means an 802.1x enabled client.
if you want background knowledge of 802.1x, wikipedia tells you plenty, or check cisco.com which also gives a suitable overview. the EAP interactions are done between the user pc and the switch. the switch uses a radius backend to talk to the authentication servers.
basically you seem to have, and forgive me if this is wrong, taken a number of features of a number of protocols / solutions and joined them together. i can certainly see the simplicity of your solution, but it doesn't really scale past a single network etc, so wouldn't be a solution that would be officially created.
you might want to explain more about your motiviations and requirements as opposed to your percieved solution.
My client (an ISP) desire to provide internet access to home users.They want a situation whereby only one computer is used by the home user to connect to its network.
Mac-based authentication is considered because they want authentication and authorization to be as transparent as possible to the users.it is also desired that there would be a firm and friendly disconnection of a user when his/her time duration to the network has elapsed.
I believe i have explained the network the best i can and that u completely understand it.
Does EAP have anything to do with mac-address authentication and does it have to be configured on the user's PC?
Any referral tutorial or article would be highly appreciated.
i'm even more confused now... where does an ISP fit into this?? this is an ISP with just 254 desktop computers in a single /24 network?
How are these users connecting to the network? am i missing some sort of dial up connection or such like? where are the users in relation to this router? where does wireless come into play, if it does at all?
802.1x can be 100% transparent to an end user if you use system level attributes, totally depends on what kind of machines these are, and your administrative access over them. i don't think you really want to pursue 802.1x though, from what i can piece together about your needs, it's a dhcp based solution, maybe with dhcp snooping if possible
I am using a 17 dlink DWL3200 AP in my campus wifi, these Access points have mac filtering option in it, but i want to do the mac address authentication in radius server, the access point has three options
Can i use this access point for mac authentication with radius server.