Wireless EAP / Freeradius, is there a way to check Mac Address in LDAP?

Jonathan S. Fisher

11/13/22, 4:52 PM

So we have EAP-PEAP over MSCHAP working. What I'd like to do is have a MAC Address check, for the purpose of making sure people aren't putting their credentials into random devices. I know SCEP would be the better option here, but this is where we're at right now.

So I noticed that the mac address is passed to FreeRadius under Calling-Station-Id

(9) Received Access-Request Id 39 from 10.127.87.10:54900 to 10.128.0.13:11812 length 275
(9)   User-Name = "jonathan.fisher"
(9)   NAS-Identifier = "xxttzzbbeezz"
(9)   Called-Station-Id = "XX-YY-ZZ-BB-AA-RR:xxx-eap-wifi"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Service-Type = Framed-User
(9)   Calling-Station-Id = "GG-HH-AA-22-77-PP"
(9)   Connect-Info = "CONNECT 0Mbps 802.11a"
(9)   Acct-Session-Id = "123456asdfaasdf"
(9)   WLAN-Pairwise-Cipher = 1231234
(9)   WLAN-Group-Cipher = 1231234
(9)   WLAN-AKM-Suite = 1231234
(9)   WLAN-Group-Mgmt-Cipher = 1231234
(9)   Framed-MTU = 1400

Our Current LDAP config:

ldap {
  server="ldaps://xxx.xxx.com"
  port=636
  tls {
    ca_file=/usr/local/share/ca-certificates/xxx-ca.crt
  }
  identity="cn=freeradius,ou=robots,dc=xxx,dc=xxx,dc=com"
  password="a well kept secret"
  base_dn="ou=people,dc=xxx,dc=xxx,dc=com"
  user {
    base_dn="${..base_dn}"
    filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    scope='sub'
  }
  group {
    base_dn="${..base_dn}"
    filter='(objectClass=inetOrgPerson)'
    membership_attribute='memberOf'
    scope='sub'
  }
}

I'm curious if there is a combination of attributes and LDAP filters anyone has used to allow certain people to only connect with certain mac addresses. Thank you!

164

0 + 4

wifi

ldap

freeradius

eap

802.1x

Ron Maupin

11/13/22, 4:55 PM

Security by MAC address is a fool's game. It is extremely simple to change the host MAC address.

Jonathan S. Fisher

11/13/22, 5:02 PM

Which is a great point, we're well aware of how easy it is to change mac addresses. This is not a threat in our environment. The only thing we're trying to do is what I said above.

natxo asenjo

11/16/22, 6:05 AM

you would need to have a different filter that matched the user search with the uid and the macaddress info. So in your ldap user info you would need to have the an attribute with the desired info. You could abuse one of the existing attributes of the uids to put that info into it. It's an administrative burden and you do not really gain any additional security but it could get done.

Jonathan S. Fisher

11/19/22, 7:09 PM

@natxoasenjo we actually ended up doing exactly that. And we're aware of the security implications as I mentioned, but thank you for the reminder. We have some other controls in place.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Wireless EAP / Freeradius, is there a way to check Mac Address in LDAP?

TH: Wireless EAP / Freeradius มีวิธีตรวจสอบ Mac Address ใน LDAP หรือไม่

RO: Wireless EAP / Freeradius, există o modalitate de a verifica adresa Mac în LDAP?

RU: Wireless EAP / Freeradius, есть ли способ проверить Mac-адрес в LDAP?

VI: Wireless EAP/Freeradius, có cách nào để kiểm tra Địa chỉ Mac trong LDAP không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.