So we have EAP-PEAP over MSCHAP working. What I'd like to do is have a MAC Address check, for the purpose of making sure people aren't putting their credentials into random devices. I know SCEP would be the better option here, but this is where we're at right now.
So I noticed that the mac address is passed to FreeRadius under Calling-Station-Id
(9) Received Access-Request Id 39 from 10.127.87.10:54900 to 10.128.0.13:11812 length 275
(9) User-Name = "jonathan.fisher"
(9) NAS-Identifier = "xxttzzbbeezz"
(9) Called-Station-Id = "XX-YY-ZZ-BB-AA-RR:xxx-eap-wifi"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Calling-Station-Id = "GG-HH-AA-22-77-PP"
(9) Connect-Info = "CONNECT 0Mbps 802.11a"
(9) Acct-Session-Id = "123456asdfaasdf"
(9) WLAN-Pairwise-Cipher = 1231234
(9) WLAN-Group-Cipher = 1231234
(9) WLAN-AKM-Suite = 1231234
(9) WLAN-Group-Mgmt-Cipher = 1231234
(9) Framed-MTU = 1400
Our Current LDAP config:
ldap {
server="ldaps://xxx.xxx.com"
port=636
tls {
ca_file=/usr/local/share/ca-certificates/xxx-ca.crt
}
identity="cn=freeradius,ou=robots,dc=xxx,dc=xxx,dc=com"
password="a well kept secret"
base_dn="ou=people,dc=xxx,dc=xxx,dc=com"
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope='sub'
}
group {
base_dn="${..base_dn}"
filter='(objectClass=inetOrgPerson)'
membership_attribute='memberOf'
scope='sub'
}
}
I'm curious if there is a combination of attributes and LDAP filters anyone has used to allow certain people to only connect with certain mac addresses. Thank you!
0 Answers