Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

802.1x PAE #303

Open
ccie57654 opened this issue May 2, 2024 · 2 comments
Open

802.1x PAE #303

ccie57654 opened this issue May 2, 2024 · 2 comments

Comments

@ccie57654
Copy link

Overview
The hostapd package included with Dent works in the sense that you can start the service and provide a configuration, however what is missing from the public hostapd package is the Port Access Entity (PAE) component.

Use Case
When a device is attached via ethernet to a port, there should exist the capability to configure said port to only accept EAPoL frames or additional types defined in an ACL, and forward the frames to the RADIUS Server, or create a RADIUS Access Request message based on the source mac for MAB purposes.

Operation

  • To keep the operation description concise, I will simply link to a better published source of how 802.1x and MAB operate.
  • Operation
  • Ideally configuration would be a component of netplan or systemd-networking or interfaces, however if a separate tool is required initially similary to poed that is fine.
  • By simply forwarding EAPoL frames to a defined RADIUS server(s) and implementing RFC 2868 capability to assign a vlan to a port based on radius responses we have 2/3 of the feature we need
  • To support MAB, a watcher would need to be running to listen to all frames initially received on a port and construct a RADIUS Access-Request message
  • Finally the ability to define not just EAPoL frames to accept on a port but also other types of frames (inbound or outbound) is important in the case of silent hosts that may not send anything until a broadcast is received.

Testing
Leveraging FreeRADIUS or similar to validate that a port can be moved from an unauthorized state (dropping all frames except those specified) to an authorized state with the received tunnel ID
@pbanicev
Copy link

Where is watcher solution for MAC Authentication Bypass explained, is there any standard covering it?

@ccie57654
Copy link
Author

Typically the NAS will formulate the authentication request on behalf of the device that does not support 802.1x EAP, for wired the typical implementation leverages RSTP Learning state in order to glean the MAC address, once the MAC address is learned on the port by monitoring the forwarding table an authentication request can be formed using the MAC address as the username and password.

There are silent hosts that do not send any traffic unless they receive a broadcast or other form of traffic first, in this case the problem is the same, however instead of leveraging the learning state, an L2 ACL would need to be used in order to filter all inbound traffic from going beyond the port but allow outbound traffic towards the host in order to "wake it up"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ccie57654 @pbanicev