[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    RE: Domain Group Authentication
From:       Brian Julin <BJulin () clarku ! edu>
Date:       2011-12-28 3:31:04
Message-ID: 5A630F46702DD1498FFD48394B4A664CB3F1BC293F () john ! ad ! clarku ! edu
[Download RAW message or body]


Automate an export of the list of WiFi MAC addresses of your managed computers from \
the DC.  Then in post-auth, query that list (we use an SQL database) and use the \
result to alter the tunnel-group-ID sent back in the outer reply.  Users can spoof \
their MAC addresses, of course, but as long as you are doing this mainly to contain \
contagion rather than high security, it is satisfactory.

The other option in a managed environment is of course to use TLS for the managed \
computers and install certs.  You could even embed the MAC address into the cert and \
check that that matches the Calling-Station-ID.  Still spoofable, of course, but \
barring a hardware crypto solution, everything is to a pro.

________________________________________
From: freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org \
[freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org] On Behalf Of \
                McSparin, Joe [jmcsparin@hillcountrymemorial.org]
Sent: Tuesday, December 27, 2011 5:51 PM
To: FreeRadius users mailing list
Subject: Domain Group Authentication

I currently have FreeRadius setup to authenticate agains Active Directory and it \
works great.  I was wondering though for everyone out there using it if you had any \
reccomendations for this scenario:

I have users that will connect wirelessly using their NT domain username and password \
on the hospitals wireless devices.  I also however have doctors that will bring in \
their own laptops and connect.  When they connect with their laptops though I do not \
want them to have the same privileges as when they connect on the hospital wireless \
devices.  If they are connecting with their laptops even though they use their \
Ntdomain user name and password I want to restrict them to a public vlan.


Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcsparin@hillcountrymemorial.org

________________________________
This email message and any attachments are for the sole use of the intended \
recipient(s) and contain confidential and/or privileged information. Any unauthorized \
review, use, disclosure or distribution is prohibited. If you are not the intended \
recipient, please contact the sender by reply email and destroy all copies of the \
original message and any attachments.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]