RADIUSdesk ConceptWiki

The professional way to manage your WiFi network using FreeRADIUS

Brought to you by: dvdwalt

Authors:

A simple way to configure LAN switches is to do MAC Authentication when a device connects to it.
This is by no means secure since the MAC Address of a device can be spoofed.
This should not bee seen as a way to secure a LAN but rather to dynamically segment it based on the reply attributes from the RADIUS server.
If you need to implement a secure way to authenticate devices on a LAN, use 802.1x

802.1x can use various EAP methods to authenticate a device to the back-end.
The most widely supported menthod is PEAP
Unfortunately devices like printers; security cameras etc does not include an 802.1x supplicant and makes implementation usually more complex.
Each vendor of networking equipment has different ways in dealing with devices that does not include a 802.1x supplicant.
You are advised to experiment and explore on the equipment you have available to see how 802.1x can be optimally implemented.

RADIUSdesk has a dedicated applet called BYOD Manager
This applet will list all the registered devices on the system.
Each registered device must have:
- A Permanent User owner.
- A MAC address to be identified with.
- A name to be identified with.
- A profile associated with it.
Each registered device may have:
- The active check enabled/disabled.
- The use profile during EAP authentication enabled/disabled.
- One or more tags associated with it.
Although the BYOD Manager applet gives an overview of all the registered devices; each Permanent User can be assigned through the Permanent User Manager applet one or more devices which in turn will also be displayed on the BYOD Manager.
The BYOD Manager is thus a holistic manager of registered devices where the Permanent User's Devices is only a subset of those displayed in the BYOD Manager; owned by the chosen Permanent User.

With BYOD devices; you will typically assign a profile which returns the information that the LAN switch requires to dynamically assign the device into a VLAN after authentication.
The profiles is not limited to it; you can for instance also implement a Captive Portal which makes use of MAC authentication and limit the connection time of a certain device to the captive portal.

One point which has to be mentioned here is when you use EAP (includes 802.1x and WPA2 Enterprise) to authenticate a device.
This device will be authenticated by a username and password (that of a Permanent User) and the profile of the permanent user will be used.
You can however select the "Use profile during EAP authentication" on a device.
This will include the return attributes of the profile associated with the device ddding and overriding to the attributes returned for the authenticated Permanent User.
This will allow for fine grained management of each of a user's devices despite the fact that they are using a single username and password to authenticate all of them through EAP.
Imagine Bob has a iPad, iPhone and an Android tablet.
- We record all these devices' MACs into the BYOD Manager making Bob the owner.
- We then can give each of them a unique profile; e.g. assign the Android to the R&D Lab profile and the Apple devices to the corporate LAN.
- We make sure the "Use profile during EAP authentication" is selected.
- Provided the back-end is configured in a way to work with the RADIUS server; depending on which device Bob connects; he will be dynamically assigned to the VLAN associated with the profile associated to the device.

The BYOD Manager also features the ability to add one or more tags to devices.
The tags can come in handy to generate reports based on certain tags.
One can for instance tag all the printers with the Printer tag.
One can then optionally tag all the devices in a certain region with a regional tag e.g. Pretoria.
So for us to get a CSV list of all the Printers in Pretoria is literally two ticks away!!

With the ability to add tags to devices we can even implement our own logic on the back-end.
We can for instance require that all the devices belonging to students has to get an RFI identification before they can connect to the campus network.
So all student (already tagged) devices will get an additional rfi_complete tag.
The RADIUS server can then be modified to check if a student device has both tags before allowing them onto the network.
This is just a simple example of how to unleash the power of tags.