0

I am attempting to create an authentication system for my network via Radius. Eventually, I want all machines on the network to authenticate with Radius before gaining access to any other network resources, and I want to be able to log the activity of each machine.

For now, baby steps. I have a Linux server running Ubuntu which is connected to a TP-LINK unmanaged switch. Connected to a TP-LINK unmanaged switch (could this be a problem for me later?), I have a server running Ubuntu with RADIUS successfully installed and radtest working on localhost, a windows laptop running vista, and a Macbook pro.

The switch assigns each machine an IP like this: 169.254.108.110. At least between the Macbook pro and the Ubuntu server, they can ping each other. Now, how would I authenticate with Radius on my Ubuntu server from my Macbook pro?

MDMarra
  • 100,183
  • 32
  • 195
  • 326
Calvin Froedge
  • 538
  • 1
  • 6
  • 16
  • 4
    The switch does **not** assign that IP. – MDMarra Nov 15 '11 at 19:55
  • Where is that IP coming from? Is it self assigned? – Calvin Froedge Nov 15 '11 at 19:55
  • @CalvinFroedge ... yes – Zypher Nov 15 '11 at 19:56
  • 1
    Yes. `169.254.0.0/16` is reserved for DHCP autoconfig. And you can't do RADIUS at the switch-port if the switch doesn't do 802.1x. – MDMarra Nov 15 '11 at 19:56
  • 3
    You're looking for 802.1x (aka NAP). Look it up, read up, most OSes support it one way or another. You might want switches that directly support it, depends on your requirements. – Chris S Nov 15 '11 at 19:56
  • 3
    @CalvinFroedge Re: that IP range, Google: APIPA. See also http://en.wikipedia.org/wiki/APIPA & RFC 3927 @ http://tools.ietf.org/html/rfc3927 – voretaq7 Nov 15 '11 at 19:57
  • 1
    Yes. Switches, that is real actual switches that are worthy of the name don't normally assign IP addresses to clients; from their point of view that's someone else's job. – Rob Moir Nov 15 '11 at 19:57
  • Ah, ok, thanks. Those IPs are still good for having devices on the network communicate with each other, even though they are self assigned, right? Sorry, I'm new to this and just trying to get my bearings. – Calvin Froedge Nov 15 '11 at 19:59
  • @Shads0 This is not a home network. If you don't want to help, don't bother. – Calvin Froedge Nov 15 '11 at 19:59
  • This switch supports 802.3x, will that not work for 802.1x? – Calvin Froedge Nov 15 '11 at 20:01
  • 2
    @CalvinFroedge Not even close. You're asking some incredibly rudimentary questions. I suggest that you read some documentation regarding RADIUS, 802.1x, and basic networking standards in general. – MDMarra Nov 15 '11 at 20:02
  • Thanks for the help, guys. This is day 2 of this project. – Calvin Froedge Nov 15 '11 at 20:04
  • I know this may be hard to swallow but I think you might need outside help. As another 22 year old I would love to be in your position but I can realise where I'm out of my depth. I also realise that some of the comments may come across slighty harsh, but these guys have been doing this for a long time and they do know what they are talking about (well, I would hope so. You don't get to 50k without making a few-wait.) Even a consultant would be a help with what you need. Good luck. – tombull89 Nov 15 '11 at 20:12
  • Yea, I already tweeted to @MarkM asking for an hour of his time on the phone in exchange for money. Nobody else is going to come set this up for me and I need the experience. I just need some help on some of the starting points. – Calvin Froedge Nov 15 '11 at 20:13

1 Answers1

7

You're Doing It Wrong.

You should get a proper switch that supports 802.1X authentication and configure that. It does exactly what you're asking for.

Now, as for "log the activity of each machine", you need to actually define that. Do you:

  • want to record each Ethernet packet that traverses the wire?
  • want to keep track of which CIFS files are opened?
  • want to record each website that is accessed?
  • want to record each TCP connection that's made?
MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Which CIFS files are opened, which websites are opened, which TCP connections are made. – Calvin Froedge Nov 15 '11 at 20:05
  • @CalvinFroedge How many machines do you want to monitor every TCP connection on? You're going to need some serious storage if it's any more than a few. – MDMarra Nov 15 '11 at 20:09
  • 1
    And a bloody switch is *never* going to keep track of CIFS filenames or which websites are opened. The first is better done by the server, with auditing. The second is better done at or near the gateway, by a proxy or passive snooping device. And recording each TCP connection is a deeply silly thing. Can you explain why you'd need that? – mfinni Nov 15 '11 at 20:13
  • @MarkM I just tweeted to you. I'd love to pay you for an hour of your time on the phone to help me get up to speed just a bit. – Calvin Froedge Nov 15 '11 at 20:15
  • @mfinni I don't expect the switch to keep track of any of this, I expect the server to do these sorts of things. Someone told me I couldn't connect via RADIUS with an 802.3x switch. If you will notice, my original question was simply *How do I authenticate to my server via radius from my macbook, with the switch sitting in between.*. For TCP connections, only connections made to / from outside the network. – Calvin Froedge Nov 15 '11 at 20:18
  • The RADIUS server won't do any of these tracking things for you at all. Once RADIUS authenticates your access and allows an 802.1x-compliant switch to connect you to the production network, the RADIUS server is out of the loop. It will log the fact that a user authenticated. – mfinni Nov 15 '11 at 20:24
  • @mfinni Ok, thank you for the clarification. I bought the switch (on advice from someone who I paid to come check things out, but as I'm now realizing essentially knew nothing but how to connect all the hardware - which I did myself anyway) before I knew what I was going to do with it. – Calvin Froedge Nov 15 '11 at 20:30