[OT] iptables and 802.1x authenticator

[OT] iptables and 802.1x authenticator

[John A. Sullivan III]

Hello, all. Does anyone know of an open source linux 802.1x
authenticator? I see XSupplicant for the supplicant and FreeRADIUS for
the authentication server but I can't seem to find an authenticator.

We've been toying with combining iptables with the ISCS network
management project (http://iscs.sourceforge.net) and 802.1x.  If we can
do what we think we can do, the results should be quite stunning.  We
should be able to create true, perimeterless network security.  That
means we can stop LAN based worms dead in their tracks, foil ARP
poisoning attacks and other nefarious activities -- all without end
point clients (not that we have anything against end point clients).

I'm in the prototype building stage and hence the need for a testbed
802.1x implementation.  So, if you can kindly point me in the right
direction, I'd greatly appreciate it.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

[OT] iptables and 802.1x authenticator

[John A. Sullivan III]

Hello, all. Does anyone know of an open source linux 802.1x
authenticator? I see XSupplicant for the supplicant and FreeRADIUS for
the authentication server but I can't seem to find an authenticator.

We've been toying with combining iptables with the ISCS network
management project (http://iscs.sourceforge.net) and 802.1x.  If we can
do what we think we can do, the results should be quite stunning.  We
should be able to create true, perimeterless network security.  That
means we can stop LAN based worms dead in their tracks, foil ARP
poisoning attacks and other nefarious activities -- all without end
point clients (not that we have anything against end point clients).

I'm in the prototype building stage and hence the need for a testbed
802.1x implementation.  So, if you can kindly point me in the right
direction, I'd greatly appreciate it.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: [OT] iptables and 802.1x authenticator

[Cedric Blancher]

Le vendredi 04 mai 2007 à 21:40 -0400, John A. Sullivan III a écrit :
> Hello, all. Does anyone know of an open source linux 802.1x
> authenticator? I see XSupplicant for the supplicant and FreeRADIUS for
> the authentication server but I can't seem to find an authenticator.

See hostapd: http://hostap.epitest.fi/hostapd/

I never see it implemented for wired networks... But it's the only
802.1x authenticator I know around.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: [OT] iptables and 802.1x authenticator

[John A. Sullivan III]

On Sat, 2007-05-05 at 08:48 +0200, Cedric Blancher wrote:
> Le vendredi 04 mai 2007 à 21:40 -0400, John A. Sullivan III a écrit :
> > Hello, all. Does anyone know of an open source linux 802.1x
> > authenticator? I see XSupplicant for the supplicant and FreeRADIUS for
> > the authentication server but I can't seem to find an authenticator.
> 
> See hostapd: http://hostap.epitest.fi/hostapd/
> 
> I never see it implemented for wired networks... But it's the only
> 802.1x authenticator I know around.
> 
> 
Thank you, Cedric.  I looked at hostap but must have been brain
cramping! Now I just need to see if we can create iptables rules based
upon what the authentication server returns through the authenticator.
If anyone has experience in doing that, please let me know.  Thanks -
John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: [OT] iptables and 802.1x authenticator

[Cedric Blancher]

Le samedi 05 mai 2007 à 11:23 -0400, John A. Sullivan III a écrit :
> Thank you, Cedric.

You're welcome.

> Now I just need to see if we can create iptables rules based upon what
> the authentication server returns through the authenticator. If anyone
> has experience in doing that, please let me know.

That would be great.

You have to configure your RADIUS in order to push specific attributes
linked to user identity, group, whatever to the authenticator, that will
do whatever is needed.

I played a bit with usual VLAN assignment on switches and access points.
Each user is thus assigned a dedicated VLAN based on his identity when
authenticated. Works great, would be nice to have this on hostapd...


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!