Chapter Contents

Authorization Policies
Policies
Policy Name
Apply This Policy
Policy is Disabled
Rules
Day and Time
Username
User Group
Access Point Group
MAC Address Group
Script Result
Policy Actions
Deny Connection
Stop Processing Policies
Assign VLAN
Execute Script
RADIUS Attributes
Policy Processing Steps

Elektron includes the ability to create powerful authorization filters to give network administrators fine-grained control over how a user may access the network.

Authorization policies allow you to limit network access based on account groups to which a user belongs, the access point to which they are connecting, and the day and time. You may choose to reject a connection altogether based on these criteria, or to limit the network access granted by adding specific RADIUS attributes to Elektron’s response to the user authentication request.

The authorization step in a connection request occurs after a user’s identity has been verified, a process that occurs during the authentication step. Once Elektron has determined the identity of a given user, it can determine whether that user should be allowed access to the network, and under what conditions. These conditions can include the length of time that the user may remain connected, or limiting what network resources the user may access, such a restricting the user to a specific VLAN.

Policies

Elektron maintains a list of authorization policies that have been configured the network administrator. When a connection request is received by Elektron, the server first authenticates the user. If the user’s identity is successfully verified, Elektron then applied each authorization policy in turn.

To create, edit, or remove an authorization policy, use the Policies pane of the Elektron Settings application. When configuring an authorization policy, there are a number of options available.

Policy Name

The policy name is a human-readable name that makes it easier to manage multiple policies. The name is only used by Elektron when displaying the policy list, so you are free to supply whatever name you find useful. For instance, if the policy being configured is used to limit connections to the wireless access points in your office lobby to the period encompassing Monday through Friday, 9:00 AM to 5:00 PM, a useful name might be “Lobby Business Hour Restrictions”. The policy name is required to be present, but need not be unique to each policy.

Apply This Policy

This option allows you to select the boolean logic used to determine how rules are applied.

Policy is Disabled

To temporarily disable a policy, select this option. When selected, the policy will be ignored by Elektron during user authorization.

Rules

Unless the “always apply” option is selected for a policy, the policy must contain at least one rule that determines when it will be applied. Rules can be based on the day and time of the login, the username, the user’s account groups, the access point to which a user is connecting, the device’s MAC address, or the result of a external script.

Day and Time

You may choose to limit policy application based on the day and time the connection request is made. This makes it possible, for instance, to disable network access over a weekend when your office is closed. Day and time rules can be configured with a granularity down to one hour, and you may add unlimited number and day and time rules to a single policy.

Username

A policy may be applied based on the username from the authentication request. For tunneled protocols like PEAP and TTLS, this is the username from the inner authentication. There are several pattern matching options; regardless of which is chosen, patterns are always matched in a case-insensitive manner. If you would like to apply a policy to all members of a given domain, be sure to base the rule on “contains domain” since Elektron accepts domains in both internet (user@domain.com) and Windows (domain\user) formats.

User Group

Like usernames, Elektron can apply rules based on pattern matching against the groups a user belongs to (and like usernames, Elektron does so in a case-insensitive manner). Elektron can retrieve group membership information from Open Directory, Active Directory, the local SAM database (on Windows server that are not Active Directory domain controllers), Elektron accounts, LDAP, and ODBC.

Access Point Group

Policies may be applied based on the access point to which a user is authenticating. Use the Access Points and Access Point Groups panes to manage your access points.

MAC Address Group

Device MAC addresses may be joined to groups and used to trigger policies. Like other group and username rules, pattern matching for MAC address groups is case-insensitive.

Script Result

Elektron may be configured to execute one or more scripts in order to determine if a rule should be applied. Based on the result of the script (zero to be applied; non-zero to not be applied), Elektron will take the appropriate policy action. The options available for script rules are:

  • Script Path The full path to the script. This value is required.
  • Arguments Any command-line arguments that are to be supplied to the script when it is executed.
  • Run With Administrator Privileges By default, scripts are executed with limited user privileges for security reasons. If your policy script needs to access protected resources, select this option.

When a script is run as a policy rule, the following environment variables are set:

  • ELEKTRON_USER The username from the authentication request
  • ELEKTRON_ACCESS_POINT_ADDRESS The IP address of the access point that is requesting user authentication
  • ELEKTRON_DOMAIN The authentication domain that authenticated the user
  • ELEKTRON_AUTHENTICATION_PROVIDER The method that was used to authenticate the user. This may be one of “SYSTEM” (using Mac OS X or Windows accounts, including Open Directory and Active Directory), “ELEKTRON” (using Elektron accounts), “LDAP”, “ODBC”, “RADIUS” (meaning a downstream RADIUS server), “SCRIPT”, or “MAC_ADDRESS”.
  • ELEKTRON_AUTHENTICATION_TYPE One of: “PLAIN” (user presented a username and password), “CHAP” (user used an MD5-hashed password), “MSCHAP”, “MSCHAP_V2”, “LEAP”, or “X509”. The final option occurs when EAP-TLS is used to authenticate the user.
  • ELEKTRON_GROUP_0 through ELEKTRON_GROUP_X These environment variables will include the groups to which a user belongs (see the note about user groups above).

Policy Actions

Once Elektron has determined that it should apply a policy, it will perform the actions specified by the policy. These actions can be a combination of rejecting the connection request outright, adding RADIUS attributes to the response, assigning the user to a VLAN, executing a script, or to stop processing lower priority policies. You can include any number of actions in a single policy, but you must always include at least one action.

Deny Connection

The first action available is to reject the connection request. In the “Deny Connection” option is checked, the RADIUS response code will be set to “Access-Reject” and the access point to which the user is attempting to connect will not permit the connection. This option implicitly enabled the “Stop Processing Policies” option; that is, once a “Deny Connection” policy is applied, no further policies will be processed.

Stop Processing Policies

With this option enabled in a policy, the current policy will be the last processed. Any lower-priority policies will be skipped. This is useful in situations where you want policies to apply to all connections except those based on specific criteria. You would create a policy with limitations including the specific criteria, and an action of “Stop processing policies”, then create one or more lower priority policies that include the actions for every other connection request.

Assign VLAN

Elektron can assign a user to a VLAN based on the RADIUS attributes defined in RFC 3580. With this action configured, the appropriate Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID RADIUS attributes will be sent for the selected VLAN. Only a single VLAN may be configured; if multiple VLAN assignments are present in a policy, only the last one will be applied.

Execute Script

A script can be executed by Elektron when a policy is triggered. The outcome of the script will have no effect on the authorization, but can be used for logging or other purposes. The script environment will be set up identically to scripts that are executed during the rules phase of policy execution, described above.

RADIUS Attributes

By adding RADIUS attributes to Elektron’s response to the connection request, you can instruct your access points about limitations to be applied to the connection. For instance, by adding the “Session-Timeout” RADIUS attribute, you can limit the length of time that the user will be allowed to remain connected to the network.

You will need to consult your access point’s documentation to determine which RADIUS attributes it will respond to. Most access point support a limited subset of attributes.

Elektron stores the RADIUS attributes it supports in dictionary files. It includes the most common RADIUS attributes in its default dictionary file, and you may add your own custom attributes using your own dictionary file.

To add an attribute to the RADIUS response, select it in the actions pop-up menu. There are several of formats for the attribute value. After you have selected the attribute you wish to send, you will indicate what type of value you will be entering. The types of values are:

  • String This is a simple text value, such as “hello, world” or “foo” (when entering the value, quotation marks are not necessary — if you include the quotation marks, they will be included in the attribute).
  • Integer This is a 32 bit numeric value, entered in decimal notation, between 0 and 4,294,967,295 inclusive.
  • Hex A binary value, expressed in hexadecimal notation, for instance, “09B477AF01”.

Policy Processing Steps

Elektron processes and applied each authorization policy in the order in which it appears in the policies list. For each policy, Elektron determines whether or not to apply the policy by following these steps (if “apply this policy if any rule matches” is selected, some steps may be skipped):

  1. First, Elektron checks whether or not the policy is applied based on the day and time of the connection.
  2. The username if matched against any username rule patterns contained in the policy, if the authentication was not based on a MAC address.
  3. User account groups are checked. For LDAP and ODBC authentication, be sure to read the documentation for these authentication methods for specific configuration information regarding user account groups.
  4. Access point groups are checked, if any are configured for the policy.
  5. MAC address groups are checked, if the authentication was based on a MAC address.
  6. Scripts in the policy rules are executed.

If the above steps has triggered application of the policy being processed based on the “apply this policy when” option, the policy is applied using the following process:

  1. If the “Deny Connection” option is checked, the result of the connection request is set to “Access-Reject”, otherwise, the result is set to “Access-Accept”.
  2. Any RADIUS attributes configured are appended to the resulting RADIUS response. Custom RADIUS attributes can be configured using the user RADIUS dictionary file. See “RADIUS Dictionaries” for more information on configuring custom RADIUS attributes.
  3. VLAN attributes are appended to the response, if the policy is configured to assign the user to a VLAN.
  4. Any script actions configured will be executed.
  5. Finally, if “Stop Processing Policies” is selected, no further authorization policies will be applied for this connection. If this option is not selected, the next authorization policy in the list (if any) will be processed. Setting “Deny Connection” option implicitly selects the “Stop Processing Policies” option. That is, if the current policy denies the connection request, no further policies will be processed.

Because complex authorization policy schemes can be affected by the order in which each policy is applied, you may determine the order by dragging and dropping the policies within the policy list.