Re: [Q]: Assigning VLANs and restricting logins?
Hi Alan > 3. Is it possible using EAP/TLS to restrict how many times a station with a > particular certificate connects to the wireless net.i.e. if someone > takes their certificate and installs it on 10 wireless machines, can I > configure freeradius (and/or my access point) so that only one active > wireless connection is allowed for that certificate? You can set Simultaneous-Use on the server, which will do this. I am trying to use this now. However, when I have radius accounting enabled, 2 different machines are showing up as different usernames...even though I have installed the same X.509 certificate on both. Radius doesn't seem to extract any information from the certificate during the authentication phase (eg: who/what the certificate is assigned to). Is it possible to use Simultaneous-Use in an EAP/TLS setup to ensure that even if multiple machines have the same certificate, only one of them will be able to logon? i.e. can radius detect based on the certificate itself whether someone has already tried to connect using the same certificate? If so, is there a field I can set in radiusd.conf via 'username = ...' to make this work? Thanx in advance. Chris. _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
hi strictly spoken, the server-to-client communication is not defined within RADIUS protocol which follows the client-server comm. model. this possibility does exist in DIAMETER (if you find an NAS which understands it, please shout!) practically, cisco does something like that in RADIUS (but it's of course proprietary to the cisco equipment) and you can disconnect by using scripts etc., i.e. basically by leaving the radius context. ciao artur Damjan wrote: Admin can/would log off the logged in clients on the domain that the RADIUS server resides. That's not a problem. But how does one tell NAS equipment about it? In my case, What would be the protocol to do ask NAS equipment to disassociate certain clients? Obviously that depends from NAS to NAS, for ex. I can telnet into my dial-up access server and kick a user by his ID. btw, if you don't tell the NAS equipment that a user should be logged-off you've done nothing by "Admin can/would log off the logged in clients on the domain that the RADIUS server resides". What would that accomplish (I dont even understand how do you think that will work?!?) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
"Htin Hlaing" <[EMAIL PROTECTED]> wrote: > Would it be right to say that a RADIUS server in 802.1X authentication > allows a client to be authenticated but can not unauthenticate a > authenticated client and let the AP(Nas) know about this > unauthentication. Yes. This is in the FAQ. The RADIUS server does not, and can not, kick users offline. > So, if I log on with my XP laptop through 802.1X successfully and then a > few minutes later, the system admin logged off all users (including me) > with the intent to force reauthentications. But, my laptop thinks it's > still authenticated and logged in. Is there a way from the RADIUS server > to notify the client so, the client detects it's unauthenticated and > tries to start 802.1X session again. No. See your AP documentation for possible ways to kick users offline. If there are no methods listed, it's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Q]: Assigning VLANs and restricting logins?
> btw, if you don't tell the NAS equipment that a user should be > logged-off you've done nothing by "Admin can/would log off the logged in > clients on the domain that the RADIUS server resides". What would that > accomplish (I dont even understand how do you think that will work?!?) > Thanks. I of course knew that it will not work or did not imply that it should work without telling the NAS... Simply wondering if there is a standard way or part of any standard to do this. Htin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
> Admin can/would log off the logged in clients on the domain that the > RADIUS server resides. That's not a problem. > But how does one tell NAS > equipment about it? In my case, What would be the protocol to do ask > NAS equipment to disassociate certain clients? Obviously that depends from NAS to NAS, for ex. I can telnet into my dial-up access server and kick a user by his ID. btw, if you don't tell the NAS equipment that a user should be logged-off you've done nothing by "Admin can/would log off the logged in clients on the domain that the RADIUS server resides". What would that accomplish (I dont even understand how do you think that will work?!?) -- damjan | ÐÐÐÑÐÐ This is my jabber ID --> [EMAIL PROTECTED] <-- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Q]: Assigning VLANs and restricting logins?
> Well if the admin, instructs the NAS equipment to log-off all the users > your laptop should know immediately that its disassociated from the wifi > AP. When your laptop ties to log-on again, and makes that request to the > AP, the AP will contact the radius server again. > Admin can/would log off the logged in clients on the domain that the RADIUS server resides. That's not a problem. But how does one tell NAS equipment about it? In my case, What would be the protocol to do ask NAS equipment to disassociate certain clients? Thanks, Htin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
> Would it be right to say that a RADIUS server in 802.1X authentication > allows a client to be authenticated but can not unauthenticate a > authenticated client and let the AP(Nas) know about this > unauthentication. I guess it comes down to RADIUS server responds to > clients but does not initiate talking to clients. That's true, the radius server just responds to the NAS equipment (being that wireless access point or a dial-up access server or a VPN access server etc...). > So, if I log on with my XP laptop through 802.1X successfully and then a > few minutes later, the system admin logged off all users (including me) > with the intent to force reauthentications. But, my laptop thinks it's > still authenticated and logged in. Well if the admin, instructs the NAS equipment to log-off all the users your laptop should know immediately that its disassociated from the wifi AP. When your laptop ties to log-on again, and makes that request to the AP, the AP will contact the radius server again. -- damjan | ÐÐÐÑÐÐ This is my jabber ID --> [EMAIL PROTECTED] <-- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Q]: Assigning VLANs and restricting logins?
Hi Alan, Would it be right to say that a RADIUS server in 802.1X authentication allows a client to be authenticated but can not unauthenticate a authenticated client and let the AP(Nas) know about this unauthentication. I guess it comes down to RADIUS server responds to clients but does not initiate talking to clients. So, if I log on with my XP laptop through 802.1X successfully and then a few minutes later, the system admin logged off all users (including me) with the intent to force reauthentications. But, my laptop thinks it's still authenticated and logged in. Is there a way from the RADIUS server to notify the client so, the client detects it's unauthenticated and tries to start 802.1X session again. Otherwise, I would need to disassociate and associate again. Thanks, Htin > -Original Message- > From: [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: Wednesday, May 26, 2004 1:56 PM > To: [EMAIL PROTECTED] > Subject: Re: [Q]: Assigning VLANs and restricting logins? > > "Chris Bshaw" <[EMAIL PROTECTED]> wrote: > > Is there any post-authentication mechanism I could use in FreeRadius to > > revoke the authenticationi.e. allow the user to authenticate long > enough > > to make the checks over IP via an Exec-Program-Wait and if they fail the > > checks, freeradius 'tells' (?) the access point to disconnect the > client? > > Nope. > > But you can run a script to tell another program that a user > authenticated. That other program can then wait however long it > wants, and do whatever it wants with the results. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
"Chris Bshaw" <[EMAIL PROTECTED]> wrote: > Is there any post-authentication mechanism I could use in FreeRadius to > revoke the authenticationi.e. allow the user to authenticate long enough > to make the checks over IP via an Exec-Program-Wait and if they fail the > checks, freeradius 'tells' (?) the access point to disconnect the client? Nope. But you can run a script to tell another program that a user authenticated. That other program can then wait however long it wants, and do whatever it wants with the results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
Hi Alan... Thanx for the info. Basically, you can't do these checks until after the RADIUS authentication has succeeded, which means that you can't use the checks to change the RADIUS response. Is there any post-authentication mechanism I could use in FreeRadius to revoke the authenticationi.e. allow the user to authenticate long enough to make the checks over IP via an Exec-Program-Wait and if they fail the checks, freeradius 'tells' (?) the access point to disconnect the client? Thanx in advance. Chris. _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
"Chris Bshaw" <[EMAIL PROTECTED]> wrote: > 1. I have read that I can have freeradius run a script via Exec-Program-Wait > at authentication time. I was just wondering would it be possible to use > this to perform a query over IP on the client station (eg: snmp or > something)? Scripts can do anything you want. > would it be > possible to have freeradius dynamically associate a client station to an > SSID at authentication time? No. The SSID's are done in a layer *below* the layers that FreeRADIUS sees. > My interest in these is because I would like if possible to be able to check > each client station to see if it has the latest patches, virus protection > s/w etc. and if it doesn't I would like to either disconnect it, or dump it > in some kind of quarantine SSID (VLAN). For that, you have to wait until the client gets an IP address, which can happen ~1s after the RADIUS authentication. Basically, you can't do these checks until after the RADIUS authentication has succeeded, which means that you can't use the checks to change the RADIUS response. > 3. Is it possible using EAP/TLS to restrict how many times a station with a > particular certificate connects to the wireless net.i.e. if someone > takes their certificate and installs it on 10 wireless machines, can I > configure freeradius (and/or my access point) so that only one active > wireless connection is allowed for that certificate? You can set Simultaneous-Use on the server, which will do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Q]: Assigning VLANs and restricting logins?
Hi First, thanx to all who replied to my earlier emails on EAP/TLS + WEP key generation.I seem to have this working now. Now I have some new questions : 1. I have read that I can have freeradius run a script via Exec-Program-Wait at authentication time. I was just wondering would it be possible to use this to perform a query over IP on the client station (eg: snmp or something)? 2. I have seen mails and docs on allowing freeradius assign VLAN IDs at authentication time. I am presuming this would be more suitable for wired ethernet switches than wireless access points on APs with VLAN capabilities (eg: my Cisco Aironet 1200) you attach to an SSID (which is associated with a VLAN). I am guessing the answer to this is probably no, but would it be possible to have freeradius dynamically associate a client station to an SSID at authentication time? My interest in these is because I would like if possible to be able to check each client station to see if it has the latest patches, virus protection s/w etc. and if it doesn't I would like to either disconnect it, or dump it in some kind of quarantine SSID (VLAN). and finally: 3. Is it possible using EAP/TLS to restrict how many times a station with a particular certificate connects to the wireless net.i.e. if someone takes their certificate and installs it on 10 wireless machines, can I configure freeradius (and/or my access point) so that only one active wireless connection is allowed for that certificate? Thanx again for all the recent help, and thanx in advance for any help on these. Chris Bradshaw. _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
