Unknown username and password matching

Alan DeKok aland at deployingradius.com
Thu Apr 11 08:35:53 CEST 2019

On Apr 10, 2019, at 11:07 PM, Dan Strong <danstrong_01 at hotmail.co.uk> wrote:
> I'm trying authenticate users on to different networks but without their usernames and passwords.
> Basically they input a specific psk on wireless and this then hits the radius and sends them onto a vlan.
> So I have this working using DEFAULT auth-type = accept.
> It's matching a Cisco avpair psk and vlan attribute, they get dropped on to a specific vlan. This works.

  That's good.

> If I put the wrong psk in, I don't get on the network so this is good and expected. It's matching the Cisco avpair psk in radius.

  That's also good.

> Is there any way to have a 2nd DEFAULT and have it match a 2nd cisco avpair? So in essence it looks at the first and says no, moves to the 2nd set of attributes? Validates a different password and drops them on a different vlan.
> I know I'm using default and it's matching anything, maybe there is another way? I don't want to match a sent username and password to confirm as this is sent as the devices Mac address which would be unknown to me.
> Feel like this should work somehow but I'm missing something...

  It's not clear what you want it to do.  You're asking about a particular solution.  Which means that the *problem* isn't clear.

  What do you want it to do?  Talk about results, not about configuration files.

  If you're not doing username / password checks, how do you distinguish users in one VLAN from users in another VLAN?

  Alan DeKok.

More information about the Freeradius-Users mailing list