Freeradius, Cisco WLC, Mac address auth.

Alan DeKok aland at deployingradius.com
Mon Aug 27 07:37:58 CEST 2007


Brian Ertel wrote:
> I have freeradius working with a Cisco 2000 series controller.  A
> wireless client attempts to associate with a WAP the controller sends an
> auth request to freeradius who sees the mac address of the user:
> 
> 00:0e:35:1c:e0:52 Auth-Type := Local, User-Password == "testing"

  Don't set Auth-Type.  User "Cleartext-Password := ...", not
"User-Password == ..."

> That puts the user in vlan 157, great, it works.  So that is for a user
> whose mac address is known.  Now I'd like to work with unknown users.
> The trouble is once one enable mac address filtering on the Cisco it
> will alway call to radius.  Is there away to allow all MAC addresses to
> be accepted in the "users" config similar to the above?

  List all known MAC addresses first.  Then, do:

DEFAULT	User-Name =~ "([0-9a-fA-F]:)5[0-9a-fA-F]", Auth-Type := Accept
	... vlan stuff

  i.e. forcing acceptance or rejection of a user is one of the few times
that setting Auth-Type is permitted.

>  That way I
> could throw all unkown users into a restricted access vlan which
> redirects them to a registration page which in turn takes their mac
> address and injects it into freeradius thus making them a "known" user
> and puts them in a normal access vlan...

  Yup.  That's a common configuration.

  Alan DeKok.



More information about the Freeradius-Users mailing list