Powered by Jitbit .Net Forum free trial version. dismiss

HomeGeneral

General issues

Authenticating by login-pass AND MAC-address Messages in this topic - RSS

Andrey
Andrey
Posts: 3


3.02.2019
Andrey
Andrey
Posts: 3
Hello TekRADIUS support,

We have a certain task that requires clients to be authenticated by login-password and device's MAC-address as well, and depending on group membership for the user and device accounts client should be put into certain VLAN. We went through available documentation for TekRADIUS, but were not able to get a clear answer if it is possible to implement with TekRADIUS, and if it is - how to do it. So, we're asking this here.

Here are the details:

Basically, what we need is that each client connection should be identified by both user-pass and MAC-address. The idea is that each user - according to his/her group membership in AD and depending on the device he/she is using - would be assigned to a certain VLAN with specified ACL.

Our company's policy requires all user accounts as well as devices' MACs info should be kept in AD. So, regular AD user accounts are used for users, nothing unusual there.
For the devices, though, we cannot use computer accounts (at least, not in a simple manner), because what we need is to store MAC-address. Moreover, there are many company's devices that cannot become a AD domain members, such as MacOS and Android devices, and also all kinds of special equipment.

So, we created additional user accounts, that have MAC-addresses of our devices as their logon names, and these accounts are groupped according to their access pattern. We can get device's MAC-address from the authentication request (from CallingStationID attribute).

Now, what we hope to do is to implement a procedure where MAC is taken from CallingStationID attribute and then used as a username to check if this user is a member of a certain group in Active Directory. There is no need to login as such user per se, we just need to check whether the user is a member of a certain group, and then combine it with information about group membership of an actual user's account, which would determine the VLAN for this connection.


So, our question is the following:
Is it possible to implement what is described above using TekRADIUS? And if it is possible, is there any tricks in such implementation we should know about?

Thanks a lot in advance.
0 link
Admin
Admin
Administrator
Posts: 4888


4.02.2019
Admin
Admin
Administrator
Posts: 4888
TekRADIUS can verify user MAC address, when you specify MAC address in Active Directory user properties dial-in section, Verify Caller-ID parameter. MAC address can be entered AA:BB:CC:11:22:33, AA-BB-CC-11-22-33 or AABBCC112233 format.



This feature requires a commercial license.
0 link
Admin
Admin
Administrator
Posts: 4888


4.02.2019
Admin
Admin
Administrator
Posts: 4888
Please make sure that you have the latest built installed (5.5.0.6).
0 link
Andrey
Andrey
Posts: 3


4.02.2019
Andrey
Andrey
Posts: 3
Thank you for your reply.

Unfortunately, using Caller-ID attribute is not an option for us, because almost every employee uses several devices (usually at least two), and Caller-ID only allows for only one MAC-address. That's why we came up with this complicated idea of creating AD user accounts representing devices (which I described if full detail in my previous post) in the first place.
So, the question still stands.

Also, I should probably clarify:
We certainly understand that what we are asking about is a highly customised scenario, and it is not going to be in TekRADIUS as a fully implemented feature. However, if there is a possibility, for example, make a connection request handler to run a script, passing MAC-address to it, and then to pick up the result (TRUE or FALSE) and use it as a parameter for allowing/denying connection (and if allowing - determing to which VLAN the client would be assigned to), that would be fantastic.

Additionally, I should mention that this task does not have to be solved the way we came up with. If there is something else in TekRADIUS functionality that can help us with it in another way, we are definitely open to it. The conditions are 1) information must be stored in AD, 2) users and devices "relationships" are many-to-many, i.e. each user uses several devices (of different types, with different access level), and each device may be used by many users (again, with different permissions).

So, if there is something that may help us, we would really appreciate it.
Thank you very much.
0 link
Admin
Admin
Administrator
Posts: 4888


4.02.2019
Admin
Admin
Administrator
Posts: 4888
You can enter multiple values to attribute named msNPCallingStationID through Attribute Editor tab.
0 link
Andrey
Andrey
Posts: 3


4.02.2019
Andrey
Andrey
Posts: 3
Yes, it's possible, but it does not help us here. Perhaps I failed to explain the task properly.
We don't need to "establish relationship" between certain users and devices. The concept is different:

There are users, as a separate type of entity.
Each user has some kind of permissions assigned, depending on a group membership.


There are devices, again, as a separate type of entity. They are categorized by types, and have nothing to do with users whatsoever.
Each device is identified by it's MAC, and depending on the device type AND user group membership this client is assigned to a dedicated VLAN for this type with specified ACL assigned. To give you an example, let't simplify it to 2 types: "laptops" and "phones".

Let's say, for a regular employee "laptops" are allowed to access only a specific list of internal network resources as well as internet, but "phones" are allowed internet access only. There are VLAN01 and VLAN02 for that. Certainly, what kind of permissions for each of internal network resources the "laptop" user would be able to use is, in this case, determined by this user group membership. And, of course, this employee would not be able to use his/her permissions for internal resources via his/her "phone", since there are no access to them in the first place, only internet connection is allowed.

However, if a user, for instance, is a member of IT department, this "laptop" should be assigned to a different VLAN (VLAN03), with wider access across the network. And that goes for this person's "phone" as well, his/her "phone" should also be assigned to VLAN03.
Then, let's say, his/her "phone's" battery died, and he/she borrowed a "phone" from a regular employee mentioned above, and authenticated with his/her login. In this case the "phone" should also be assigned to VLAN03, not VLAN02.

The system is actually more complex than this. This is just for the sake of given a simple, easily understandable example.

So, we have 2 separate entities in form of users and devices, but only a combined criteria of user group membership and device type determine which VLAN this client would be assigned, and, consequently, by applying ACLs, what would be accessable there.


That's what we are trying to implement. As you can see, setting multiple values to msNPCallingStationID does not help here at all.
0 link
Admin
Admin
Administrator
Posts: 4888


5.02.2019
Admin
Admin
Administrator
Posts: 4888
You accomplish complex scenarios using TekRADIUS External-Executable attribute. External-Executable allows you to execute your own authentication and authorization logic. A typical external executable is VBScript which accepts received attributes in an authentication as command line parameters. You can pass authorization attributes to TekRADIUS by echoing them as console output. Please see External-Executable section in TekRADIUS Manual for more details.
0 link






Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software