Assign link-local addresses on authentication/authorization failure

[William C. Chandler]

Hey all,

I'm having trouble wrapping my brain around the correct way to do this, if at all possible.  Some guidance would be greatly appreciated!

I'm looking to assign link-local addresses to clients who fail to authenticate or fail to be authorized for access.  I was wondering if this was even possible with radius?  Would it be a DHCP-Reject in the post-auth section? Maybe something update reply?  I've even thought about creating a new vlan with a dhcp server/scope of 169.254.254.x/24 and just dropping the users there...

For more details -- setting up WPA enterprise wifi network, and we require our LDAP users to be part of certain groups to get on ("wirelessfaculty," and "wirelessstudents").  If they fail to authenticate due to bad password it'd be nice to give them a 169.254.0.1 address.  Or if they're not in the proper group, a 169.254.0.2.  This seems like it'd help us more quickly assess which step caused the hangup.

Thanks for any ideas!
--William
Email correspondence to and from this address may be subject to the North Carolina Public Records law and may be disclosed to third parties by an authorized state official (NCGS. ch. 132). Student educational records are subject to FERPA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140320/7c0cdd99/attachment.html>