Stronger security with BSD Firewall and Freeradius

[Mohacsi Janos]

On Mon, 2 Apr 2007, Marko Lerota wrote:

> I've seen that is possible to use switch port blocking with freeradius
> and cisco switches via 802.1X and EAP protocol. Here is more info:
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
>
> What if I don't have switch that supports 802.1X or I want that blocking
> is done by FreeBSD, not the switch. Because FreeBSD is the firewall or
> gateway to some networks. Is there any solution that implements freeradius
> with PF or any other firewall/blocking feature?

Definition: IEEE 802.1X is an IEEE standard for port-based Network Access 
Control.

Port based means, that you have to have large number of ports that you can 
control by individual usage.

Ports can be: ethernet ports or wireless port. In the first case you would 
need large number of ports in your firewall, which is not really feasible. 
The later case you should use hostapd. With the hostapd your can configure 
your firewall as a authenticator (802.1x terminology) or access 
point, that can provide wireless access based on credential supplied by 
your users (userid+password, certificate, etc.).

I suspect you would like to have something similar that authpf do. 
Authenticate on the firewall, then allow access on the internal network. 
Have a look at man authpf or http://www.openbsd.org/faq/pf/authpf.html 
about authpf usage.

I hope this helped.

Best Regards,

Janos Mohacsi
Network Engineer, Research Associate, Head of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882


>
> -- 
> One cannot sell the earth upon which the people walk
>                               			Tacunka Witco
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>