How to grant some (!) devices access to network but all others have to provide passwords

arjun sharma arjuniet.28 at gmail.com
Thu Dec 26 15:02:15 CET 2019 

Hi,

if you are fine with EAP-TTLS then well and good else you can follow the
below

You need to understand the basic like why you are getting prompt to enter
credentials  and what happens inside when you enter correct credentials.

please read about session-timeout  and mac auth ( mixed with  802.1x )

authorize {
        preprocess
        # always check against the authorized_macs file first
        authorized_macs

        if (!ok) {
        # Reject if the MAC address was not permitted.
                reject
        }

        # If this is NOT 802.1x, mac-auth
        if (!EAP-Message) {
                # MAC address has already been checked, so accept
                update control {
                        Auth-Type := Accept
                }
        }
        else {
                # Normal FreeRADIUS virtual server config goes here e.g.
                eap
        }
}

Session timeout can be configured on the RADIUS server so that each client
can have a different timeout value. The Session-Timeout attribute as
defined in RFC 2865 is included in the Access-Accept message, and sets the
maximum number of seconds of service to be provided to the user before
termination of the session.



On Tue, Dec 24, 2019, 1:05 AM Alan DeKok <aland at deployingradius.com> wrote:

> On Dec 23, 2019, at 12:12 PM, uj2.hahn at posteo.de wrote:
> >
> > Thanks, Alan!
> > I generated brand new certificates and installed them on one Android
> tablet.
>
>   That's good...
>
> > But now I'm not sure what the expected use model is:
> > Can I connect immediately without any credentials or do I have to
> provide a valid user/passwd once
> > and it will be saved forever?
>
>   If you use EAP-TLS, it shouldn't need a password.
>
>   But in the end, this question is for the end user device, not for
> FreeRADIUS.
>
> > When I try to connect I see the WLAN credential form again (although it
> looks different than before).
> > So I have to enter some valid credential. Then it is saved. Is this the
> expected behavior?
>
>   Ask the device manufacturer how their systems work.  We didn't implement
> the UI on the android tablet, and we know nothing about it.
>
> > What is the expected message in the debug logfile saying everything is
> fine with the certificates?
>
>   The server sends an Access-Accept.
>
>   If something goes wrong the error messages are large and descriptive.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list