We implemented MAC authentication with netreg at http://netreg.sourceforge.net. We used DHCP/DNS/HTTP piece from netreg. It's essence is DHCP/DHS/HTTP on one server. Basically there will be a vlan we called sandbox with ip helper-address pointing to sandbox.foo.edu. The DHCP is configured to have DNS pointing to sandbox.foo.edu too. bind is configured to resolve everything to sandbox.foo.edu. HTTP is configured with dynamic webpage as explained later on. The logic is like the following if (mac not in your database ) { send back a sandbox vlan #user open any webpage will get redirected to single server } else if (mac in your database) { if (user blocked ) { sendback sandbox VLAN } send back regular vlan name with additional attribute as you want } On the web server, if you are here, you are either unregistered or registered but blocked. We have dynamic webpage to do the following things #mac not registered #user webpage to get IP, then use IP to get MAC from DHCP lease file if (MAC not in database ) { webportal of login with (ldap, ssh, ftp) backend, mac address will be populated in the database. } #mac in database but blocked else { display the mac is blocked and call helpdesk } We use this to gain a lot of knowledge/experience on dot1x, and are now moving toward 802.1x. Schilling On Wed, Feb 2, 2011 at 2:15 PM, Jim Rice <jmrice6640@yahoo.com> wrote:
Thanks, Alan.
The MikroTik routers can be configured to send a variety of MAC address formats, the default is XX:XX:XX:XX:XX:XX
It can also be set to include the same MAC address in the Password field, instead of NULL, but I do not see any added benefit to that.
but had to set Auth-Type := Accept.
Hmm... that's probably not the best way to do it, but if it works...
Is there a best (or better) way?
Do I need to be concerned with MAC spoofing?
Thanks again,
Jim
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html