Hello Everyone -
I have recently completed an interesting project for an international bank that
may be of interest to some of you.
The bank has a requirement to provide increased internal network security
across its entire wired network.
This involves replacing all LAN port switches with EAP enabled devices such
that all ports enforce authentication prior to enabling network traffic.
The EAP enbled LAN switches are configured for EAP RADIUS with Radiator as the
central RADIUS server.
All desktop and laptop PC's are configured for Windows PEAP and all computer
users are authenticated against Active Directory.
An additional requirement is to provide the same EAP restrictions for IP phones
and printers. This is obviously to prevent unauthorised misuse of LAN ports
used by phones and printers.
Cisco IP phones are employed and they support EAP-MD5, while a number of
printers with various types of EAP support are being tested.
To support these (and other) devices, Active Directory has been extended with
an Organisational Unit (OU) for Devices, with OU's for Printers and Phones
within it.
The Cisco IP Phones send a special User-Name in the EAP requests that includes
the MAC address of the phone.
The skeleton Radiator configuration file follows:
…..
# Handler for Cisco IP Phones
<Handler EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/>
…..
</Handler>
# Inner PEAP Packet Handlers
<Handler TunnelledByPEAP=1>
…..
</Handler>
# Outer PEAP Packet Handler
<Handler EAP-Message = /.+/>
<AuthBy FILE>
EAPType PEAP
…..
</AuthBy>
</Handler>
# default Handler for normal RADIUS
<Handler>
<AuthBy LSA>
…..
</AuthBy>
</Handler>
We anticipate that most organisations will be moving to secure wired LAN
infrastructure over the next few years.
regards
Hugh
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
