Crosspost [hostap, freeradius] Can I send "temporary failure" or "wpa tls has failed, so shove them on a vlan" ?
I want an option to do some sort of "your authentication is pending administrative approval. a message has been sent to the administrators, please try again in a few minutes". AND an option to sya "your authentication has failed completely, I'm sending you to a separate vlan" namely, the situation is as follows: I've got an interface available on a separate AP to allow users to register for and acquire a certificate. The certificate is bound to a single hostname and mac address. THere are two failure conditions: 1) the user has bad or no credentials in this case the user should be sent to a captive vlan where all they can do is connect to the registration webpage to acquire a certificate and bind it to their wifi MAC address. 2) the user has good credentials but fails "MAC" authentication. The mac address will go through some level of processing, which will result in either "adding" the mac address to their account and succeeding, or triggering a "We have to send a request for review to the administrators" and sending the user to a separate vlan with a "explain why you have so many MAC addresses" website. Not sure how to configure hostapd and freeradius together to do this.
Christ Schlacta wrote:
1) the user has bad or no credentials in this case the user should be sent to a captive vlan where all they can do is connect to the registration webpage to acquire a certificate and bind it to their wifi MAC address.
You want a captive portal. This has very little to do with RADIUS. Alan DeKok.
On 12/6/2010 6:31 PM, Alan DeKok wrote:
Christ Schlacta wrote:
1) the user has bad or no credentials in this case the user should be sent to a captive vlan where all they can do is connect to the registration webpage to acquire a certificate and bind it to their wifi MAC address. You want a captive portal. This has very little to do with RADIUS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I know i'll be developing a custom captive portal to run, what I need to know is how a) freeradius needs to interact with the portal software (can freeradius run scripts as hooks? or similar?, or does freeradius need to use some complex configuration to make updates to the backend (probably sql or ldap), and b) what does hostapd need to allow users with failed authentication to connect, but to a different vlan? is that even possible.
in the grand scheme of things, captivating clients on any given vlan will be a very simple task.
Christ Schlacta wrote:
I know i'll be developing a custom captive portal to run, what I need to know is how a) freeradius needs to interact with the portal software
The captive portal has a web login page, which ends up sending RADIUS requests.
(can freeradius run scripts as hooks? or similar?
I have no idea what you mean by that question.
, or does freeradius need to use some complex configuration to make updates to the backend (probably sql or ldap),
Why would FreeRADIUS need to update a backend? And why would you think it's complex??
and b) what does hostapd need to allow users with failed authentication to connect, but to a different vlan? is that even possible.
See the hostpd documentation for how to do this (if possible)
in the grand scheme of things, captivating clients on any given vlan will be a very simple task.
Yes. And this isn't a RADIUS issue. Go find a captive portal, and configure that. That documentation will tell you what it needs from a RADIUS server. Alan DeKok.
participants (2)
-
Alan DeKok -
Christ Schlacta