UAM - MAC Authentication

From wiliGear wiki

Jump to: navigation, search

Description

Device configured to work as network router. Client associates to the wireless interface. When user associates, device uses client's MAC address as username/password and attempts to authenticate against an external RADIUS server. If client's MAC address is stored in the database, client will be allowed to pass traffic. If client's MAC address is not stored in the database, client can't pass traffic. This is similar to the standard UAM - Hotspot setup, except instead of using a web login form, device automatically uses client's MAC address for authentication.


Image:info.jpg If client's MAC is not in the database, client will be allowed to associate, and will obtain an IP address (if DHCP is present). However, client will not be able to communicate beyond device (surf the web, etc).


Configuration sample 

############################################################
# Authentication: UAM - MAC Authentication
# Updated: 2008-12-26
############################################################
 
# Section: aaa
aaa.status=enabled
aaa.1.status=enabled
aaa.1.devname=ath0
aaa.1.name=UAM_ON_ath0
aaa.1.nas.1.status=enabled
aaa.1.nas.1.profile=NAS_UAM_PROFILE
aaa.1.wan.1.status=enabled
aaa.1.wan.1.devname=eth0
 
aaa.auth.1.status=enabled
aaa.auth.1.authtype=PAP
 
# USE YOUR RADIUS SERVER IP ADDRESS 
# RADIUS server should be accessible from device
aaa.auth.1.host=10.1.1.100
aaa.auth.1.name=AUTH_SERVER
 
# USE YOUR RADIUS SERVER SERCRET
aaa.auth.1.secret=secret
aaa.auth.1.stripdomain=disabled
 
aaa.domain.1.status=enabled
aaa.domain.1.name=DOMAIN_PROFILE
aaa.domain.1.auth.1.status=enabled
aaa.domain.1.auth.1.profile=AUTH_SERVER
 
aaa.nas.1.status=enabled
aaa.nas.1.acct.status=enabled
aaa.nas.1.auth.status=enabled
aaa.nas.1.auth.1.status=enabled
aaa.nas.1.auth.1.type=uam
aaa.nas.1.auth.1.profile=LOCAL_PAGES_PROFILE
aaa.nas.1.devname=ath0
aaa.nas.1.domain.1.status=enabled
aaa.nas.1.domain.1.profile=DOMAIN_PROFILE
aaa.nas.1.domain.default=1
aaa.nas.1.maxclients=12
aaa.nas.1.name=NAS_UAM_PROFILE
aaa.nas.1.security.type=none
aaa.nas.1.verbose=enabled
 
aaa.uam.1.status=enabled
aaa.uam.1.name=LOCAL_PAGES_PROFILE
#aaa.uam.1.loginurl=https://%lanip/uam/login.cgi
aaa.uam.1.mac_auth.status=enabled
# choose MAC format in this case may look like (00:19:3b:00:1d:ef)
aaa.uam.1.mac_auth.user_format=%1:%2:%3:%4:%5:%6
aaa.uam.1.mac_auth.passwd_format=%1:%2:%3:%4:%5:%6
aaa.uam.1.mac_auth.placeholder_case=lower
 
# Section: netconf
netconf.status=enabled
 
# Device WAN interface settings
# In this case, used static IP
netconf.1.status=enabled
netconf.1.alias.status=disabled
netconf.1.devname=eth0
netconf.1.ip=10.0.1.5
netconf.1.mode=wan
netconf.1.netmask=255.255.255.0
netconf.1.promisc=disabled
netconf.1.type=ethernet
netconf.1.up=enabled
 
# Device WLAN interface settings
netconf.2.status=enabled
netconf.2.alias.status=disabled
netconf.2.devname=ath0
netconf.2.ip=192.168.199.1
netconf.2.mode=lan
netconf.2.netmask=255.255.255.0
netconf.2.promisc=disabled
netconf.2.type=wireless
netconf.2.up=enabled
 
# Section: dhcpd
 
# dhcp server for associating clients
dhcpd.status=enabled
dhcpd.1.status=enabled
dhcpd.1.devname=ath0
dhcpd.1.dns.1.server=192.168.199.1
dhcpd.1.dns.1.status=enabled
dhcpd.1.end=192.168.199.254
dhcpd.1.gateway=192.168.199.1
dhcpd.1.netmask=255.255.255.0
dhcpd.1.start=192.168.199.100
 
#dns masq
dnsmasq.status=enabled
dnsmasq.1.status=enabled
dnsmasq.1.devname=ath0
 
# Section: radio
radio.status=enabled
 
# Radio is configured to work in B/G mode, channel 6
radio.1.status=enabled
radio.1.autochannel.status=disabled
radio.1.channel=6
radio.1.devname=ath0
radio.1.frag=off
radio.1.ieee_mode=G
radio.1.mode=Master
radio.1.rate.auto=enabled
radio.1.rate.max=54M
radio.1.rts=off
radio.1.txpower=5
radio.countrycode=US
 
 
# Section: wireless
wireless.status=enabled
 
# Wireless settings 
wireless.1.security=none
wireless.1.ssid=UAM-Sample
wireless.1.ssid_broadcast=enabled
wireless.1.status=enabled
wireless.1.devname=ath0
wireless.1.l2_isolation=disabled
wireless.1.max_clients=16
 
 
# Section: route
route.status=enabled
route.1.status=enabled
# USE YOUR GATEWAY IP ADDRESS
route.1.gateway=10.0.1.1
route.1.ip=0.0.0.0
route.1.netmask=0
 
 
# Section: httpd
httpd.status=enabled
httpd.backlog=100
httpd.external.status=disabled
httpd.max.connections=50
httpd.max.request=51200
httpd.port.admin=444
httpd.port.https=443
 
 
# Section: resolv
resolv.status=enabled
resolv.nameserver.1.status=enabled
# USE YOUR DNS SERVER IP ADDRESS
resolv.nameserver.1.ip=10.0.1.1
 
 
# Section: sshd
sshd.status=enabled
sshd.port=22
 
 
# Section: syslog
syslog.status=enabled
syslog.file=/var/log/messages
syslog.file.msg.level=debug
syslog.file.umask=077
syslog.fwd.status=disabled
syslog.fwd.msg.level=info
syslog.rcms.alarm.status=disabled
syslog.rcms.alarm.level=info
syslog.rotate.status=enabled
syslog.rotate.at.size=102400
 
 
# Section: users
users.status=enabled
users.1.status=enabled
users.1.name=admin
users.1.password=oHSl3yqR.t1uQ
 
 
# Section: firewall
firewall.status=enabled
 
# DNS
firewall.rule.1.table=nat
firewall.rule.1.chain=PREROUTING
firewall.rule.1.protocol=TCP
firewall.rule.1.dport=53
firewall.rule.1.target=ACCEPT
 
firewall.rule.2.table=nat
firewall.rule.2.chain=PREROUTING
firewall.rule.2.protocol=UDP
firewall.rule.2.dport=53
firewall.rule.2.target=ACCEPT
 
# DHCP
firewall.rule.3.table=nat
firewall.rule.3.chain=PREROUTING
firewall.rule.3.protocol=TCP
firewall.rule.3.dport=67:68
firewall.rule.3.target=ACCEPT
 
firewall.rule.4.table=nat
firewall.rule.4.chain=PREROUTING
firewall.rule.4.protocol=UDP
firewall.rule.4.dport=67:68
firewall.rule.4.target=ACCEPT
 
# Allows for wireless clients to see login page
firewall.rule.5.table=nat
firewall.rule.5.chain=PREROUTING
firewall.rule.5.protocol=TCP
firewall.rule.5.in=ath0
firewall.rule.5.dport=443:444
#If static IP is used and no DHCP client enabled then uncomment this line
firewall.rule.5.dst=192.168.199.1
firewall.rule.5.target=ACCEPT
 
# Not authenticated clients will be redirected to the login page
firewall.rule.6.table=nat
firewall.rule.6.chain=PREROUTING
firewall.rule.6.protocol=TCP
firewall.rule.6.in=ath0
firewall.rule.6.auth=not-auth
firewall.rule.6.auth.in=ath0
firewall.rule.6.target=REDIRECT
firewall.rule.6.t.redirect.port=38080
 
firewall.rule.7.table=mangle
firewall.rule.7.chain=PREROUTING
firewall.rule.7.acct.in=ath0
 
firewall.rule.8.table=mangle
firewall.rule.8.chain=POSTROUTING
firewall.rule.8.acct.out=ath0
 
firewall.rule.9.status=enabled
 
firewall.rule.9.table=nat
 
firewall.rule.9.chain=POSTROUTING
 
firewall.rule.9.target=MASQUERADE
 
firewall.rule.9.out=eth0
 
#If static IP is used and no DHCP client enabled then comment these lines
#firewall.rule.10.table=nat
#firewall.rule.10.chain=POSTROUTING
#firewall.rule.10.protocol=TCP
#firewall.rule.10.out=ath0
#firewall.rule.10.dport=443:444
#firewall.rule.10.auth=not-auth
#firewall.rule.10.auth.out=ath0
#firewall.rule.10.target=DROP
Retrieved from "http://www.wiligear.com/wiki/index.php/UAM_-_MAC_Authentication"
Personal tools