Question: How do I forcibly accept all rest requests??
Good afternoon guys! I am running version 2.1.6. The server is currently doing 802.1x authentication for network devices. Some devices are PCs and users use their Windows domain user/password to login. The rest are special network equipments and I use MAC address authentication bypass to authenticate them. Now I have a dilemma that I need to make all other devices (guest devices from out of my company) to be authenticated as well... Currently if these devices (usually laptop running Windows XP) support 802.1x, they will fail and they will be put in an Auth-failed VLAN. The VLAN itself is fine and they can do whatever they want on this VLAN. However it's just that annoying icon on their laptops. It pops up from time to time to notify users that they failed authentication and even prompted for username and password if configured to do so... So I want to make all rest devices to be authenticated. It will be even better if I can assign them to a specific VLAN. I was reading ./sites-avaliable/default and I found that forcibly accept the user (Auth-Type := Accept). Where do I put it? I tried: post-auth { Post-Auth-Type REJECT { # attr_filter.access_reject Auth-Type := Accept } } And obviously it's not working... Any ideas how I should configure it? Thank you! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question: How do I forcibly accept all rest requests??
Difan Zhao wrote: So I want to make all rest devices to be authenticated. It will be even better if I can assign them to a specific VLAN. I was reading ./sites-avaliable/default and I found that forcibly accept the user (Auth-Type := Accept). Where do I put it? I tried: post-auth { Post-Auth-Type REJECT { # attr_filter.access_reject Auth-Type := Accept } } It's too late to over-ride the reject at that point. And I doubt that this will prevent the icon from appearing on their desktop. The icon means that the *PC* believes it wasn't authenticated. The config above tells the *NAS* to allow them in, but does not convince the *PC* that it has been authenticated. There is no substitute for running the authentication protocol correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question: How do I forcibly accept all rest requests??
Alan, Thank you for quick reply! However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? If the laptop is configured to use MD5, then I think it's even easier to make this happen...? I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 30, 2010 4:43 PM To: FreeRadius users mailing list Subject: Re: Question: How do I forcibly accept all rest requests?? Difan Zhao wrote: So I want to make all rest devices to be authenticated. It will be even better if I can assign them to a specific VLAN. I was reading ./sites-avaliable/default and I found that forcibly accept the user (Auth-Type := Accept). Where do I put it? I tried: post-auth { Post-Auth-Type REJECT { # attr_filter.access_reject Auth-Type := Accept } } It's too late to over-ride the reject at that point. And I doubt that this will prevent the icon from appearing on their desktop. The icon means that the *PC* believes it wasn't authenticated. The config above tells the *NAS* to allow them in, but does not convince the *PC* that it has been authenticated. There is no substitute for running the authentication protocol correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question: How do I forcibly accept all rest requests??
Difan Zhao wrote: However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? No. Even if it does, the laptop will ignore it. There is no substitute for running the authentication protocol correctly. If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? That's not the way PEAP works. So no, it's impossible. If the laptop is configured to use MD5, then I think it's even easier to make this happen...? It's still impossible. I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... shrug That's the way networks work. And you expect me to come up with a solution (for free) that you're charging for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question: How do I forcibly accept all rest requests??
Uh... Guess you are right... I thought it was something easy but looks like it's not! I will let the hotel know that there is nothing we can do. I guess the hotel will give up after I tell them that I have consulted with the programmer lol. BTW this Freeradius is awesome program. Very flexible and I like it a lot! Your support is also very much appreciated! Thanks a lot Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 30, 2010 5:47 PM To: FreeRadius users mailing list Subject: Re: Question: How do I forcibly accept all rest requests?? Difan Zhao wrote: However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? No. Even if it does, the laptop will ignore it. There is no substitute for running the authentication protocol correctly. If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? That's not the way PEAP works. So no, it's impossible. If the laptop is configured to use MD5, then I think it's even easier to make this happen...? It's still impossible. I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... shrug That's the way networks work. And you expect me to come up with a solution (for free) that you're charging for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html