Saturday, March 27, 2010

Misc 12

(This uses the topology from Misc 3)
Picking up with where we left off with FreeRadius. Now we want to perform authorization of users by kicking them into a failed or guest VLAN if they are not properly authenticated, and sending them into a authenticated VLAN if they provide correct credentials.

There are a few things we need to do:
1) Configure users file to provide users with the proper reply
2) Configure EAP to use tunneled reply (for authorization to work properly)
3) Configure switch to use settings

I have three VLANs. VLAN 1 is where all the servers reside (which is not a good idea). VLAN 2 is where failed users get kicked to, and VLAN 3 is where authenticated users live.

First, we do a quick nano of the users file found in /etc/freeradius/:
nano users

Scroll down to the user and modify him/her as follows:
kelvin Cleartext-Password := "kelvin"
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEE-802,
Tunnel-Private-Group-ID = "3"

Private group ID is the VLAN that the user will go into if he is properly authenticated. Notice that I enclosed the private group ID with quotes. FreeRadius would properly understand, but just put it there to be sure. Certain RADIUS servers require the group ID to be a String or else it would not work properly.

Now, it's time to turn on tunneled reply. Do a quick nano of the eap.conf file:
nano eap.conf

Use F6 to search for the line that contains "_reply". Note that there are two. The one you need to modify should be the one in the PEAP section, not the TLS one. When you find it, modify it to reflect:
use_tuneled_reply = yes

After saving, do a restart of your FreeRadius and it should be working quite well!

No comments :

Post a Comment