I have FreeRADIUS Version 1.1.0
I want to disallow login to access points for every hosts that are not in my network.
So at the end of /usr/local/etc/raddb/users file I put regular expression that checks if Calling-Station-Id IS NOT in list of my hosts...
DEFAULT Auth-Type := REJECT, Calling-Station-Id !~ "008012323244|002938475473|<and many other macs...>"
Is there any reason you shouldn't have a separate stanza accepting each valid MAC address, then implicitly reject all other MAC addresses?
I accepts users using eap-peap + mysql. Logins are not the Identity but are extracted from eap messages, so I cant use users file for auth (?). In users file there are visible User-Name attrs that I do not use (they are not the same as they from eap-message). My wireless cards have 3 fields: Identity, eap login, eap password. My users can use everything in identity, but must use correct login and password. So users file is kind of "filter". If my host try to access network from 'incorrect' access point there is a REJECT. If accessed ap is 'correct' there is no reject and eap-peap + mysql works for me... Norboro