From owner-freebsd-security@FreeBSD.ORG Mon Apr 2 16:45:02 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5353C16A402 for ; Mon, 2 Apr 2007 16:45:02 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [193.6.222.241]) by mx1.freebsd.org (Postfix) with ESMTP id 1783413C465 for ; Mon, 2 Apr 2007 16:45:02 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: by mail.ki.iif.hu (Postfix, from userid 1003) id 54E115639; Mon, 2 Apr 2007 18:17:06 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 5306D562C; Mon, 2 Apr 2007 18:17:06 +0200 (CEST) Date: Mon, 2 Apr 2007 18:17:06 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Marko Lerota In-Reply-To: <86lkha6eey.fsf@sparrow.local> Message-ID: <20070402175305.X73058@mignon.ki.iif.hu> References: <86lkha6eey.fsf@sparrow.local> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Stronger security with BSD Firewall and Freeradius X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 16:45:02 -0000 On Mon, 2 Apr 2007, Marko Lerota wrote: > I've seen that is possible to use switch port blocking with freeradius > and cisco switches via 802.1X and EAP protocol. Here is more info: > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO > > What if I don't have switch that supports 802.1X or I want that blocking > is done by FreeBSD, not the switch. Because FreeBSD is the firewall or > gateway to some networks. Is there any solution that implements freeradius > with PF or any other firewall/blocking feature? Definition: IEEE 802.1X is an IEEE standard for port-based Network Access Control. Port based means, that you have to have large number of ports that you can control by individual usage. Ports can be: ethernet ports or wireless port. In the first case you would need large number of ports in your firewall, which is not really feasible. The later case you should use hostapd. With the hostapd your can configure your firewall as a authenticator (802.1x terminology) or access point, that can provide wireless access based on credential supplied by your users (userid+password, certificate, etc.). I suspect you would like to have something similar that authpf do. Authenticate on the firewall, then allow access on the internal network. Have a look at man authpf or http://www.openbsd.org/faq/pf/authpf.html about authpf usage. I hope this helped. Best Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 > > -- > One cannot sell the earth upon which the people walk > Tacunka Witco > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >