WPA2 enterprise and NAS-Identifier
Alan DeKok
aland at deployingradius.com
Wed Sep 23 16:59:11 CEST 2015
On Sep 23, 2015, at 10:08 AM, Lorenzo Milesi <maxxer at ufficyo.com> wrote:
> I'm trying to setup WPA2 authentication, and I mostly succeded, I can authenticate users which are in MySQL on FR2.
> What I am missing is the ability to restrict some users access using the NAS-Identifier attribute.
>
> From what I could see the request (made from a DDWRT AP) doesn't include that attribute, so when it comes to radius it rejects the access because of that.
You've changed the default configuration to require NAS-Identifier... in a situation where the NAS doesn't send NAS-Identifier.
Why? That doesn't make any sense.
> Is it somehow possible to update the request (like it can be done for dynamic clients) and add the attribute there?
Add it with what value? Any value you use can only be derived from existing attributes in the packet. So why not use the attributes that *exist*, instead of one that doesn't exist?
If you want to create a NAS-Identifier attribute, see "man unlang". There are tons of documentation files and examples showing you how to create attributes.
Alan DeKok.
More information about the Freeradius-Users
mailing list