LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 02-12-2007, 04:27 PM   #1
sholah
Member
 
Registered: Dec 2006
Posts: 34

Rep: Reputation: 15
radius mac authentication


hello all,

i am working on a project to deploy mac-based authentication via radius server.

the network is a "WIRED" LAN,Although the Users will connect to the cisco router via point-to-point wireless connection.

the users,radius server and LAN interface of the router will all be connected to a switch (i hope the network layout is clear).The other interface of the router ultimately connects to the internet.

i believe i have successfully installed and configured the radius server (using the radtest utility to check)

my major pain is how to configure the NAS. The NAS is a cisco router.How do i configure the NAS to forward mac addresses to the radius server without asking for username/password?

i saw this configuration somewhere:

aaa new-model
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default wait-start group radius
aaa accounting connection default start-stop group radius

in the above, i believe i have to make changes to the above configuration so that the NAS will forward mac addresses to radius server without prompting the user for anything (i.e username/password), but i dont know what and howto.

pls help,anyone.

PS: the radius server uses mysql as its backend.i also know that the mac-addresses of the users is stored as the username/password in the radcheck table.

thanks.
 
Old 02-12-2007, 05:05 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
if you're talking about the router doing the authentication then that's not the device that would be doing it. 802.1x authentication is done at the lower level of the network, i.e the wired switch or the wireless AP, not the router. indeed why would you want the router to control this? By the time the router can have an opinion about this, you've already got the rogue client happily chatting away on the local subnet, which presumably is not what you want. I'll admit i'm a little wet behind the ears with the possibilities, but i think that what you're probably after is dhcp snooping on the router. this watches dhcp traffic and uses the dhcp req and offers to build a list of valid mac addresses implicitly. if the router is being asked to route traffic from a client who it has not seen a dhcp request go to, or you have not statically added the mac as a trusted non-dchp source, then the router can drop packets and such like. in this scenario it would be the dhcp server doing the mac filtering, which is real simple with standard isc-dhcp. infact you probably wouldn't want MAC filtering anyway, a secret user-class id would probably suffice it... effectively it'd be a "password" for the dhcp server, albeit a very simple one.

the alternative of which you may have half got, is, as mentioned above, 802.1x, where the layer 2 network device interacts with the prospective client to authenticate themselves with either a user level uid/pwd, a machine level uid/pwd or a certificate. this then would go off to radius and be authenticated, but it's the EAP interactions that are required here, which means an 802.1x enabled client.
 
Old 02-13-2007, 09:19 AM   #3
sholah
Member
 
Registered: Dec 2006
Posts: 34

Original Poster
Rep: Reputation: 15
hello chris,

can u tell me more about the 802.1x authentication?

are u saying that this cant work with the router?

and what and how do i configure EAP?is it on the radius or switch or both?

can u point me to an article or tutorial that would be of help to me

thanx a lot
 
Old 02-13-2007, 09:59 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
if you want background knowledge of 802.1x, wikipedia tells you plenty, or check cisco.com which also gives a suitable overview. the EAP interactions are done between the user pc and the switch. the switch uses a radius backend to talk to the authentication servers.

basically you seem to have, and forgive me if this is wrong, taken a number of features of a number of protocols / solutions and joined them together. i can certainly see the simplicity of your solution, but it doesn't really scale past a single network etc, so wouldn't be a solution that would be officially created.

you might want to explain more about your motiviations and requirements as opposed to your percieved solution.
 
Old 02-13-2007, 04:33 PM   #5
sholah
Member
 
Registered: Dec 2006
Posts: 34

Original Poster
Rep: Reputation: 15
okay,

My client (an ISP) desire to provide internet access to home users.They want a situation whereby only one computer is used by the home user to connect to its network.

Mac-based authentication is considered because they want authentication and authorization to be as transparent as possible to the users.it is also desired that there would be a firm and friendly disconnection of a user when his/her time duration to the network has elapsed.

I believe i have explained the network the best i can and that u completely understand it.

Does EAP have anything to do with mac-address authentication and does it have to be configured on the user's PC?

Any referral tutorial or article would be highly appreciated.

Thanx
 
Old 02-13-2007, 05:16 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
i'm even more confused now... where does an ISP fit into this?? this is an ISP with just 254 desktop computers in a single /24 network?

How are these users connecting to the network? am i missing some sort of dial up connection or such like? where are the users in relation to this router? where does wireless come into play, if it does at all?

802.1x can be 100% transparent to an end user if you use system level attributes, totally depends on what kind of machines these are, and your administrative access over them. i don't think you really want to pursue 802.1x though, from what i can piece together about your needs, it's a dhcp based solution, maybe with dhcp snooping if possible
 
Old 02-15-2007, 04:27 PM   #7
sholah
Member
 
Registered: Dec 2006
Posts: 34

Original Poster
Rep: Reputation: 15
There is no wireless whatsoever.i already wrote about that.

It is basically a wired LAN.All the users connect to the router (the router is their gateway) via a switch.

I want to be able to control and authenticate the users before their packets are routed out via the router, and i want to authenticate them by using their mac-addresses.

Can radius server work for a wired network? The radius server is on the LAN as well just like the users.

If radius can work for wired authentication,can u tell me more about dhcp snooping or refer me somewhere.

Thanx
 
Old 02-16-2007, 03:07 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well as above, 802.1x on a cofngiured client, or dhcp snooping. as it's a cisco router, cisco.com would be the obvious point of reference.
 
Old 12-04-2011, 11:49 PM   #9
saif_kasalam
LQ Newbie
 
Registered: Jun 2008
Posts: 1

Rep: Reputation: 0
WIFI-MAC Authentication through radius

I am using a 17 dlink DWL3200 AP in my campus wifi, these Access points have mac filtering option in it, but i want to do the mac address authentication in radius server, the access point has three options
disable,
accept,
reject,

Can i use this access point for mac authentication with radius server.

Please help
Thank you
 
Old 12-05-2011, 03:04 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
please don't drag up dead threads. your question = your thread.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pam radius authentication danieldinu Linux - Security 2 07-17-2009 02:56 PM
RADIUS PEAP Authentication Problem metallica1973 Linux - Wireless Networking 1 07-07-2008 02:37 AM
Ldap Radius Authentication tmolise Linux - Software 0 11-01-2006 11:49 AM
User authentication through radius tiger3090 Linux - Networking 1 09-08-2005 05:16 AM
Log into RedHat and authentication w/RADIUS webwar Linux - Networking 1 08-12-2003 12:00 PM


All times are GMT -5. The time now is 06:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration