Alan, Thank you for the response. Was your first input: "Don't set Auth-Type. User "Cleartext-Password := ...", not "User-Password == ..." a correction of what I am using or syntax to accomplish the unknown/known user issue? In other words which syntax takes care of the unknown users and which takes care of the known users? I am still unclear about how freeradius identifies and returns values for unknown users. Thank you, Brian -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, August 27, 2007 1:38 AM To: FreeRadius users mailing list Subject: Re: Freeradius, Cisco WLC, Mac address auth. Brian Ertel wrote:
I have freeradius working with a Cisco 2000 series controller. A wireless client attempts to associate with a WAP the controller sends an auth request to freeradius who sees the mac address of the user:
00:0e:35:1c:e0:52 Auth-Type := Local, User-Password == "testing"
Don't set Auth-Type. User "Cleartext-Password := ...", not "User-Password == ..."
That puts the user in vlan 157, great, it works. So that is for a user whose mac address is known. Now I'd like to work with unknown users. The trouble is once one enable mac address filtering on the Cisco it will alway call to radius. Is there away to allow all MAC addresses to be accepted in the "users" config similar to the above?
List all known MAC addresses first. Then, do: DEFAULT User-Name =~ "([0-9a-fA-F]:)5[0-9a-fA-F]", Auth-Type := Accept ... vlan stuff i.e. forcing acceptance or rejection of a user is one of the few times that setting Auth-Type is permitted.
That way I could throw all unkown users into a restricted access vlan which redirects them to a registration page which in turn takes their mac address and injects it into freeradius thus making them a "known" user and puts them in a normal access vlan...
Yup. That's a common configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html