0

So we have EAP-PEAP over MSCHAP working. What I'd like to do is have a MAC Address check, for the purpose of making sure people aren't putting their credentials into random devices. I know SCEP would be the better option here, but this is where we're at right now.

So I noticed that the mac address is passed to FreeRadius under Calling-Station-Id

(9) Received Access-Request Id 39 from 10.127.87.10:54900 to 10.128.0.13:11812 length 275
(9)   User-Name = "jonathan.fisher"
(9)   NAS-Identifier = "xxttzzbbeezz"
(9)   Called-Station-Id = "XX-YY-ZZ-BB-AA-RR:xxx-eap-wifi"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Service-Type = Framed-User
(9)   Calling-Station-Id = "GG-HH-AA-22-77-PP"
(9)   Connect-Info = "CONNECT 0Mbps 802.11a"
(9)   Acct-Session-Id = "123456asdfaasdf"
(9)   WLAN-Pairwise-Cipher = 1231234
(9)   WLAN-Group-Cipher = 1231234
(9)   WLAN-AKM-Suite = 1231234
(9)   WLAN-Group-Mgmt-Cipher = 1231234
(9)   Framed-MTU = 1400

Our Current LDAP config:

ldap {
  server="ldaps://xxx.xxx.com"
  port=636
  tls {
    ca_file=/usr/local/share/ca-certificates/xxx-ca.crt
  }
  identity="cn=freeradius,ou=robots,dc=xxx,dc=xxx,dc=com"
  password="a well kept secret"
  base_dn="ou=people,dc=xxx,dc=xxx,dc=com"
  user {
    base_dn="${..base_dn}"
    filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    scope='sub'
  }
  group {
    base_dn="${..base_dn}"
    filter='(objectClass=inetOrgPerson)'
    membership_attribute='memberOf'
    scope='sub'
  }
}

I'm curious if there is a combination of attributes and LDAP filters anyone has used to allow certain people to only connect with certain mac addresses. Thank you!

Jonathan S. Fisher
  • 434
  • 4
  • 18
  • 1
    Security by MAC address is a fool's game. It is extremely simple to change the host MAC address. – Ron Maupin Jul 13 '21 at 16:55
  • Which is a great point, we're well aware of how easy it is to change mac addresses. This is not a threat in our environment. The only thing we're trying to do is what I said above. – Jonathan S. Fisher Jul 13 '21 at 17:02
  • 1
    you would need to have a different filter that matched the user search with the uid and the macaddress info. So in your ldap user info you would need to have the an attribute with the desired info. You could abuse one of the existing attributes of the uids to put that info into it. It's an administrative burden and you do not really gain any additional security but it could get done. – natxo asenjo Jul 16 '21 at 06:05
  • 1
    @natxoasenjo we actually ended up doing exactly that. And we're aware of the security implications as I mentioned, but thank you for the reminder. We have some other controls in place. – Jonathan S. Fisher Jul 19 '21 at 19:09

0 Answers0