Thanks for the tip, Schilling. We wanted to provide a "splash page" for unauthenticated access attempts. This helps to answer a whole other list of questions on "how" to do that. Jim --- On Wed, 2/2/11, schilling <schilling2006@gmail.com> wrote:
From: schilling <schilling2006@gmail.com> Subject: Re: MAC Authentication - Bad Idea? To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Wednesday, February 2, 2011, 11:32 AM We implemented MAC authentication with netreg at http://netreg.sourceforge.net. We used DHCP/DNS/HTTP piece from netreg. It's essence is DHCP/DHS/HTTP on one server. Basically there will be a vlan we called sandbox with ip helper-address pointing to sandbox.foo.edu. The DHCP is configured to have DNS pointing to sandbox.foo.edu too. bind is configured to resolve everything to sandbox.foo.edu. HTTP is configured with dynamic webpage as explained later on.
The logic is like the following if (mac not in your database ) { send back a sandbox vlan #user open any webpage will get redirected to single server } else if (mac in your database) { if (user blocked ) { sendback sandbox VLAN } send back regular vlan name with additional attribute as you want }
On the web server, if you are here, you are either unregistered or registered but blocked. We have dynamic webpage to do the following things #mac not registered #user webpage to get IP, then use IP to get MAC from DHCP lease file if (MAC not in database ) { webportal of login with (ldap, ssh, ftp) backend, mac address will be populated in the database. } #mac in database but blocked else { display the mac is blocked and call helpdesk }
We use this to gain a lot of knowledge/experience on dot1x, and are now moving toward 802.1x.
Schilling