RADIUS with GROUP based Open Directory authentication

Question

RADIUS with GROUP based Open Directory authentication

I am currently evaluating the use of Open Directory for 802.1x RADIUS authentication. As I will not be running Airport Express base stations (need MultiSSID) but use instead use SonicWall's SonicPointN, I would like to check during the authentication if the user belongs to a specific group. The group membership to be checked in the directory itself can be derived from the SSID transmitted as RADIUS attribute "Called-Station-Id":

rad_recv: Access-Request packet from host 192.168.xxx.xxx port 40981, id=0, length=185
User-Name = "user@example.com"
NAS-IP-Address = 192.168.xxx.1xxx59
NAS-Port = 0
Called-Station-Id = "00-00-00-00-00-00: WIFI_TEST"
Calling-Station-Id = "00-00-00-00-00-00"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11

Compared to an LDAP configuration, I have not yet seen/found any options which may be configured in the "opendirectory" module.

Somebody has an idea how this could be solved with Open Directory?

Mac OS X (10.6.4)

Posted on Aug 11, 2010 4:58 AM

Reply

Answer 1

Aug 25, 2010 4:38 AM in response to dalimsoftware

Well, whoever may find the same issue - the following is my (expensive) workaround scenario I may roll out soon:

1. Run Windows Enterprise Server with Active Directory, certificate enrollment and IAS Radius authentication (RegEx policy per "Calling-Station-Id = \^\[\^:\]+:WIFI_NAME$" to match AD groups)
2. Run either Netgear WNDAP330/350 AP for VLAN tagging, MultiSSID support and Radius authentication or SonicPoint AP's
3. Extend AD Schema to support Mac OS X clients
4. Host sophisticated services (FTP, Wiki, Blog, Password management, etc.) on Mac OS X server connected to AD domain

Costs:
4 x SonicPoint approx. 1600 EUR
4 x Netgear WNDAP330/350 approx. 1.200 EUR
2 x Mac mini Server approx. 3.400 EUR (1 backup machine)
1 x Windows 2003 Enterprise 75 user CAL's approx. 3.200 EUR (VMware HA hosted, no hardware backup needed)

*What a shame I can not find a workaround to use the natvive OpenDirectory - would save me 50% of the total project!*

The only way might be to skip the Mac min servers to save money

😟

Reply

Answer 2

Aug 25, 2010 5:48 AM in response to dalimsoftware

Are you just trying to control which users have access to wifi through radius and open directory?

If that is all you are doing, you can allow / deny access to specific services, like Radius, to a particular group.

Reply

Answer 3

Aug 25, 2010 6:12 AM in response to InterHmai

Unfortunately not as easy: I want to control what group has access to which SSID.
In the OpenDiretory plugin of a OS X server it is not possible to filter the Radius attribute "Calling-Station-Id" to check the membership of a specific group (see: Windows IAS policies).

On OS X only yes/no is possible, which is based on the fact Apple is only featuring the use of it's own *NOT MultiSSID enabled* Airport Express/Extreme devices...

Reply