Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Bit of a newb to linux, total newb to FreeRADIUS (so maybe this belongs in the newbie section?).
Using CentOS 5.5, FreeRADIUS 2.1.7.
Objective is simply to be able to allow wireless clients access to my network based on their MAC address (I have about 10 WAPs around the country which I need to be able to manage user access centrally). Not interested in LDAP or dishing out keys/certificates etc.
I have been trying to follow the guide here. Sounds like it's exactly what I need but I'm not sure about a few things.
1) For each of the conf files am I supposed to be replacing everything currently existing in the respective file with what is suggested?
2) "raddb/modules/file" does not exist, so I assume I should use "raddb/modules/files"?
3) If I uncomment the line:
Code:
#rewrite_calling_station_id
under the "raddb/sites-available/default authorize{}" section, the radiusd startup gives me the following error: /etc/raddb/sites-enabled/default[69]: Failed to find module "rewrite_calling_station_id".
If anyone familiar with FreeRADIUS 2 could answer these queries I might be on the right path
Objective is simply to be able to allow wireless clients access to my network based on their MAC address
We're talking about MAC address check AND standard WPA2 authentication right (PEAP or EAP-TTLS if you want to avoid certificates on the client machines) ?
I've been trawling posts and guides all day to try and learn more about freeRADIUS but so much of the lingo is very new to me, so please forgive me if I come over a it dense!
I am trying to simply have freeRADIUS check the client's MAC address against a list; if the address is listed then it allows the client to connect to the network.
I don't really need any form of user credentials, certificates, passphrases etc.
Some guides seem to imply that I have to use certificates for WPA2-Enterprise (TKIP/AES), others hint that I can achieve what I want, I'm just getting nowhere at the moment.
Some guides seem to imply that I have to use certificates for WPA2-Enterprise (TKIP/AES), others hint that I can achieve what I want, I'm just getting nowhere at the moment.
I totaly understand your doubts because I've been through this too !
As you may know, a RADIUS server like FreeRADIUS is the actual most secure way to authenticate a user trying to join a WLAN protected by WPA/WPA2 (that's why it's called Enterprise). From what I remember, RADIUS works with EAP, which allow a bunch of authentication methods. The three main are EAP-TLS, EAP-TTLS and PEAP.
You need at least one ID/passphrase for the TTLS and PEAP anthentication modes per user, and a certificate for the TLS anthentication mode per user.
In all three modes, I believe the RADIUS server has to have its certificate.
Don't worry, it wasn't clear for myself neither until I spent six months working on this...
If you just want to allow machines on your WLAN with a MAC address check, then you don't need a RADIUS server. Just configure the MAC address check on your AP (Access Point) (I think every of them can do it), and set the WPA mode to Personnal (this means there will be only one password to enter the whole network, the same for everyone).
And if you don't even want the users to need a password to join the network, just disable the encryption (WPA/WPA2 or WEP) (this is something I wouldn't recommand).
I hope I understood your request, and don't hesitate to ask questions !
Yep I think you understand my request My problem though, is that we have about 20 WAPs around our sites and around 50~60 roaming users. No WAP we have come across (USRobotics, LinkSys or Cisco) can hold this many MAC addresses (about 20 maximum is typical), and neither do any of them allow any form of labelling (i.e.: we have no idea who a user is by simply looking at their MAC address).
When my colleague spoke to one of the manufacturers asking if they did WAPs with ~100 MAC address capacities they simply told us to look at a RADIUS server.
Ideally, we just want a situation where upon purchase of a new company laptop, as part of the configuration we just add its MAC address to the central MAC address list (like a RADIUS server), then that user can access any of the WAPs at any of our sites. Or, in another situation, if a site has a guest (i.e.: customer/supplier) we can add their MAC remotely. Trying to install a certificate onto such a laptop will be a no-go!
Our user base is 99% computer illiterate so you can imagine the existing challenges with trying to ask users for their MAC details when they arrive at various sites!
I was hoping there'd be a way to 'cheat' freeRADIUS into doing what we want, given our reasonably basic requirements.
If you can advise any other workable alternatives I would be extremely grateful!
Ideally, we just want a situation where upon purchase of a new company laptop, as part of the configuration we just add its MAC address to the central MAC address list (like a RADIUS server), then that user can access any of the WAPs at any of our sites. Or, in another situation, if a site has a guest (i.e.: customer/supplier) we can add their MAC remotely. Trying to install a certificate onto such a laptop will be a no-go!
OK, I got it, of course deploying certificates on the whole site would be a herculean task, and asking guests to do so is not conceivable.
Code:
If you can advise any other workable alternatives I would be extremely grateful!
The first thing that comes to my mind is why not just use your WAPs with a simple WPA2-Personnal encryption (this means one password for the whole network) ?
Of course the password will be spreaded and some people that are not granted to join the network might be able to do it anyway, but using a MAC address check is no more secure.
Well, actually, it is a little, because it needs a bit of computer knowledge in order to change the MAC of the machine to fit another that is allowed on your network. But you might know it takes a single shell-command on Linux !
Anyway, I took a look at the link you gave in your first post.
Quote:
1) For each of the conf files am I supposed to be replacing everything currently existing in the respective file with what is suggested?
No, I'm pretty sure you should just modify the section they're talking about.
What I would do, following the guide you gave :
- Optionally (I mean if you tried everything and it still doesn't work) add the rewrite_calling_station_id section at begin or end of raddb/policy.conf
- Add the authorized_macs section in raddb/raddb/modules/files (you were right, it's not raddb/modules/file !)
- Create the file raddb/authorized_macs and add some MAC that you want to check with the given syntax
- Add the next modification to raddb/sites-available/default, section authorize{}. It's written that this must be placed under the eap section and above the chap section, but it doesn't make sense since the chap section is above the eap one... Try both if you suspect this might throw an error !
- Add the Auth-Type CSID section in raddb/sites-available/default, section authenticate{}
- Add the final modification to raddb/sites-available/defaultpost-auth{}
- Get all this running and try to connect with the configured MAC address
Is this what you did too ?
Quote:
... the radiusd startup gives me the following error:
/etc/raddb/sites-enabled/default[69]: Failed to find module "rewrite_calling_station_id".
What does radiusd say if you let rewrite_calling_station_id commented ? And what does it say when you try to connect to the WLAN ?
I'll try the suggestions you have posted, but in the meantime, to address the global-password versus MAC issue.
Unfortunately, our users will do anything but work, so we frequently have people trying to connect PS3's, personal netbooks, mobile phones and all manner of other gadgetry to the WAPs to waste a bit of time (for some reason they think they can circumvent our web filtering by using the WAPs...). The WAP password has been spilled so many times that it became pointless.
As previously mentioned, the majority of our users wouldn't know a MAC address if it smacked them in the face, let alone try and spoof one, so this has seemed the most workable method.
As previously mentioned, the majority of our users wouldn't know a MAC address if it smacked them in the face, let alone try and spoof one, so this has seemed the most workable method.
Thank you for your continuing input I am sincerely grateful!
I'm going to have another stab at this hopefully this afternoon. Something I meant to bring up previously though, was regarding case sensitivy. Are these scripts case sensitive, do you? As, in particular, sometimes I see 'Calling-Station-ID' and other times I see 'Calling-Station-Id'. No errors appear to be reported, but I just wanted to eliminate it as a factor.
Thank you for your continuing input I am sincerely grateful!
You're welcome !
About case-sensitivity, as I personally don't know about that, I googled a bit but found not much about it. It makes not doubts that things like user-names or passwords are case-sensitive, but I couldn't figure that out for what you talked about.
You might want to simply try and run radiusd with i.e. DEFAULT_EAP_TYPE or CALLING_STATION_ID, just to make sure, and see if it complains.
Hello Everybody
I am new to freeradius, I installed freeradius2 on centos 5.5. Its working on basic PAP authorization. I want to use Mac address authorization for my lan pcs not wireless access points. I tried the default guide http://wiki.freeradius.org/Mac-Auth, but its giving errors -Failed to find module "rewrite_calling_station_id"..
If anybody know how to fix this. please reply with detailed step by step configuration.
[QUOTE=singh.deep;4368450]Hello Everybody
I am new to freeradius, I installed freeradius2 on centos 5.5. Its working on basic PAP authorization. I want to use Mac address authorization for my lan pcs not wireless access points. I tried the default guide wiki.freeradius.org/Mac-Auth, but its giving errors -Failed to find module "rewrite_calling_station_id"..
If anybody know how to fix this. please reply with detailed step by step configuration.
The policy.conf should look like this:
policy {
rewrite_calling_station_id {
.
.
.
.
}
}
then rewrite_calling_station_id policy could be used in configuration. The FreeRadius wiki is actually missing this point.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.