LINICKX.com

UniFi, OpenWRT, freeRADIUS: Mac Address Dynamic VLAN Assignment for WPA2-PSK

Nick Bettison — Sun, 07 May 2023 17:55:00 +0100

This is much simpler than I imagined...

Scenario

For my home Wi-Fi, I want a single SSID but I want to place devices (Such as IOT) into different VLANs, but since this is personal use I don't want the headache of certificates that comes with 802.1x / WPA-Enterprise, thus want to keep the simplicity of passwords (WPA2-PSK).

UniFi APs support Dynamic VLAN Assignment, but it wasn't obvious what needs to be done on the RADIUS side... well, it'd be simple for Cisco's ISE but I don't have that at home, so freeadius it is 😜

In this solution there's two key things:

MAC Authorization isn't a security feature; it's more of a convenience feature, Windows & Linux easily allow changing the MAC address of a network card
The config below has a default allow that is unknown Mac addresses are permitted

The idea is, I have one SSID for all my devices, new devices "just work" and they can be moved around afterwards. The security of the SSID hasn't changed the strength of the PSK is the key.

The example below assumes you have a working Wi-Fi, with working VLANs and a working firewall/router to connect them together, we start with installing freeradius onto OpenWRT.

Install Freeradius

On your OpenWRT box, install the default packages...

opkg update && opkg install freeradius3-default freeradius3-utils

Now, if you want to be fancy and install just the bare minimum you only need the below packages, this will exclude all the EAP stuff, but you'll have to hack about with the default site and config files to get the service to start properly... you've been warned!

freeradius3 freeradius3-common freeradius3-mod-always freeradius3-mod-attr-filter freeradius3-mod-chap freeradius3-mod-detail freeradius3-mod-exec freeradius3-mod-expiration freeradius3-mod-files freeradius3-mod-logintime freeradius3-mod-pap freeradius3-mod-preprocess freeradius3-utils

Edit Config files

The first step is to define your RADIUS Clients, the things that send authentication requests. The file you need to edit is /etc/freeradius3/clients.conf; the RADIUS packets come directly from the Access-Point so you can either add them one at a time, or add a subnet like this:

Place at the bottom of the file.

client vlan1 {
        ipaddr = 192.168.1.0/24
        secret = correcthorsebatterystaple
}

Now, add the WI-FI Clients to /etc/freeradius3/mods-config/files/authorize

Place at the top of the file.

de:ad:be:ef:00:01       Cleartext-Password := "de:ad:be:ef:00:01"
                        Tunnel-Type = VLAN,
                        Tunnel-Medium-Type = 6,                         
                        Tunnel-Private-Group-Id = 2

DEFAULT                 Auth-Type := Accept
                        Tunnel-Type = VLAN,
                        Tunnel-Medium-Type = 6,
                        Tunnel-Private-Group-Id = 1

Where de:ad:be:ef:00:01 is the MAC Address of the device, such as your phone or notebook and Tunnel-Private-Group-Id = 2 places the device into VLAN 2. This example places all unknown MAC addresses into VLAN 1

Testing & Logging

With the config files changed, I recommend you stop the radius service : /etc/init.d/radiusd stop and then start freeradius in debug mode: radiusd -X

In debug mode, you'll need to keep your SSH open but you'll see the authentication requests on the screen, if you've made any mistakes it's easier to spot this way.

After testing is complete, you can run /etc/init.d/radiusd start to run it as a background service.

While you are running radiusd -X no logs are produced, the output is to the screen; by default when you re-enable the service the logs will output to disk: /var/log/radius.log. If you want to see the logs in luci then, edit /etc/freeradius3/radiusd.conf change destination = files ➡️ destination = syslog you may also want to set auth = yes so that you see both failed & passed authentications.

UniFi update the SSID

Before changing the SSID, a RADIUS server needs to be defined under Settings > Profiles > RADIUS . The secret is the same secret which was defined above in clients.conf; the IP address is that of your OpenWRT box. Account is optional, enable if logging disconnect events is important to you.

Finally edit your SSID under Settings > Wireless Networks , scroll to the bottom and enable RADIUS MAC Auth, selecting the profile you just created.

If you have freeradius running in debug mode you'll see events when devices try to connect!

/End

Adding new devices is as simple as putting entries into the authorize file with your desired VLAN.

References:

https://openwrt.org/docs/guide-user/network/wifi/freeradius
https://neilzone.co.uk/2021/09/using-freeradius-to-assign-vlans-for-unifi-wi-fi
https://help.ui.com/hc/en-us/articles/360015268353-UniFi-Gateway-Configuring-RADIUS-Server

How to Import Vendor Specific Attributes into Cisco Secure ACS SE Applience

nick — Mon, 05 Nov 2007 16:35:00 +0000

I wanted to write a document on how to import RADIUS VSA's (vendor specific attributes) into cisco's ACS SE (Solution Engine) appliance, the reason being that I couldn't find any good examples on the net and cisco's documentation just wasn't clear enough.

My purpose was to use RADIUS authentication between a Nokia IPSO appliance such that users who access voyager or ssh get authenticated centrally; for RADIUS authentication to work your authentication server (in this case ACS) needs to supply the AAA client (in this can the ipso box) with a "return list attribute". By default ACS doesn't have the nokia attributes; to import attributes you need to get your hands on a dictionary file, for nokia ipso it's /etc/nokia.dictionary - I've a copy here.

In you dictionary file you need to pick out some key elements, firstly the IANA-assigned enterprise code for the vendor and secondly a list of attributes to add. Using my nokia example the vendor code is the top line:

VENDOR Nokia 94

Thus the code is 94 , and everything below that are attributes.

So... Getting started with ACS, firstly if you have AAA clients which you want to use the new attributes you are going to need to delete them, and to be save reboot ACS. Now the import is done via the RDBMS sync process, since you do not have OS level access to ACS you need to upload a file called "accountActions.csv" (case sensitive), uploading this file tells the internal database to perform some commands or actions, examples would be to bulk import some users or bulk group changes, in our case we're going to insert a new "Vendor" into the RADIUS database, and then insert some attributes.

I have created a file called createVendor_accountActions.csv if you renamed it to accountActions.csv and uploaded it to your ACS box via the RDBMS Sync tool (under system configuration) it'd perform the following actions:

- Command -1
- Priority - 8
- Action - 350 (Create new Vendor)
- Vendor Name - Nokia
- ACS Vendor Number - Auto Assigned
- Vendor ID - 94
- Date of DB Transaction - 25/09/2007 13:00
- Command - 2
- Priotity - 0
- Action - 355 (Restart ACS Services)
- Date of DB Transaction - 25/09/2007 13:00

The command numbers are just like primary key fields in a database or row numbers in a spreadsheet, they need to be unique and incremental for each csv file, and the priority specify and order to apply the commands, you I guess you could set the priorities all to 0 and rely on the command number to process the file in order, but I set a priority just in case. After you apply the file ACS will be temporarily unavailable as the services restart.

Now, we look at one line of importAttributes_accountActions.csv, again it would need to be renamed to accountActions.csv, before uploaded, and lets take a look at one line.

Command -1
Priority - 7
Action - 352 (Add VSA)
Attribute Name - Nokia-IMSI
The vendor to assign the attribute to - 94 (Nokia)
Attribute ID - 224
Attribue type - integer ( can only be integer, string or ipaddr)
Date of DB Transaction - 25/09/2007 13:00

Hopefully this all starts to make sense when looking at your dictionary file, again the final line of the file restarts the services. An important thing to not here is that if you create a new vendor you need to re-start the services before you can apply an attribute to it, and you need to restart the services again to use the attributes... at this point here it's probably worth mentioning that the version of ACS SE I'm using now (4.1) is a windows appliance, so if at any point your box hasn't done what you think a reboot won't hurt ;)

Now you can add your AAA client and in my example you could set the vendor to RADIUS (Nokia) , if you then go into interface configuration RADIUS (Nokia) will appear, go in there and tick all the boxes for "group", finally if you go into your group setup at the very bottom will be a list of attributes you've imported and can use ! :cool:

Just in can you need them here are my references:

RDBMS Sync Import Definitions

Importing an accountActions.csv file into ACS SE

Universe CD version of RDBM SSync import Defs