Deployment of MAC Address Authentication based on Freeradius  Figure 3 : RADIUS configuration on AP-500 After MAC authentication, it's mandatory (on ORINOCO AP-500) to configure the access point to bridge IP and ARP protocols to let both clients to communicate via IP. RADIUS server configuration Using freeradius 0.8.1 to deploy this architecture, it’s possible to perform MAC authentication simply manipulating two freeradius configuration files, users and clients.conf. The users file contains a series of configuration directives which are used by the files module to decide how to authorize and authenticate each user request. Each entry of the file begins with a username, followed by a list of check items, all on one line. For the purpose of this paper, following lines let the files module to check user credentials: 00022d-539778 Auth-Type := Local, User-Password == "gianluigi" 00022d-3270e3 Auth-Type := Local, User-Password == "gianluigi" Local authentication (Auth-Type) performs check on users file password attribute (rather than /etc/passwd for System authentication). Since the secret shared between NAS and RADIUS server has been set to gianluigi (look at clients.conf. configuration), clients present their request with the same password. The clients.conf file defines a RADIUS client (typically a Network Access Server, NAS). Each line of the file contains two fields: 1. client, which is the hostname (dotted decimal notation is allowed) of the RADIUS client and 2. secret, which is the “shared secret” that is held between a RADIUS server and a client. It is used to encrypt passwords in RADIUS packets and for authentication. These are the lines of code to provide to clients.conf. client 153.69.254.250{ secret = gianluigi shortname = ap nastype = other } Now, everything is ready to perform MAC address-based RADIUS authentication over WLAN. Simply typing radiusd -Xy on RADIUS server PC, we obtain MAC authentication with extended debug mode and details about every authentication request in the radius.log file. rad_recv: Access-Request packet from host 153.69.254.250:192, id=2, length=59 NAS-IP-Address = 153.69.254.250 User-Name = "00022d-539778" User-Password = "gianluigi" The Access Point appends to the client request the secret it shares with RADIUS server. modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop modcall[authorize]: module "digest" returns noop rlm_realm: No \@\ in User-Name = "00022d-539778", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched 00022d-539778 at 91 Netpad has been recognized at line 91 of file users. modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Check is OK. Sending Access-Accept of id 2 to 153.69.254.250:192 RADIUS server sends the Accept response to the NAS. Finished request 1 Bio: Dr Gianluigi Me is a staff member of the Wi-Fi Technology Forum and a WLAN editor. With years experience on network security (especially on mobile architectures), he is an IEEE author and a Lecturer at the University Tor Vergata of Rome, Italy.
|
Previous (1/3) 
Next (3/3) 
