Unknown username and password matching

Dan Strong danstrong_01 at hotmail.co.uk
Thu Apr 11 12:11:20 CEST 2019

What I'm trying to do is have users connect to the WiFi (A single SSID) with their own PSK, depending on the PSK, they are dropped to a specific vlan. The username and password which is sent to the radius from the WLC is the users MAC address. In this particular building there are lots of SSID's with connected unique vlans.

So what I'm asking is can we ignore the username and password that comes through, and just match the psk?

Can you have something like Username is the CISCO-AVPair = PSK attribute or something?

Basically I just want unknown users to be authenticated using the psk and put to a certain vlan based on the psk they enter only.

From: Freeradius-Users <freeradius-users-bounces+danstrong_01=hotmail.co.uk at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Thursday, April 11, 2019 6:35 AM
To: FreeRadius users mailing list
Subject: Re: Unknown username and password matching

On Apr 10, 2019, at 11:07 PM, Dan Strong <danstrong_01 at hotmail.co.uk> wrote:
> I'm trying authenticate users on to different networks but without their usernames and passwords.
> Basically they input a specific psk on wireless and this then hits the radius and sends them onto a vlan.
> So I have this working using DEFAULT auth-type = accept.
> It's matching a Cisco avpair psk and vlan attribute, they get dropped on to a specific vlan. This works.

  That's good.

> If I put the wrong psk in, I don't get on the network so this is good and expected. It's matching the Cisco avpair psk in radius.

  That's also good.

> Is there any way to have a 2nd DEFAULT and have it match a 2nd cisco avpair? So in essence it looks at the first and says no, moves to the 2nd set of attributes? Validates a different password and drops them on a different vlan.
> I know I'm using default and it's matching anything, maybe there is another way? I don't want to match a sent username and password to confirm as this is sent as the devices Mac address which would be unknown to me.
> Feel like this should work somehow but I'm missing something...

  It's not clear what you want it to do.  You're asking about a particular solution.  Which means that the *problem* isn't clear.

  What do you want it to do?  Talk about results, not about configuration files.

  If you're not doing username / password checks, how do you distinguish users in one VLAN from users in another VLAN?

  Alan DeKok.

List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7Cc528e93c76254fb864cf08d6be4800f6%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636905613789614694&sdata=vqIvLxTpW2APWEjD%2FuomXFSBtV%2BfpvtOk%2BObKeHfex0%3D&reserved=0

More information about the Freeradius-Users mailing list