Hi. I'm using FreeRADIUS to authenticate Wireless users (WPA) to an LDAP backend. FreeRADIUS also rewrites attributes for dynamic Vlan assignments. Works like a charm. Is it possible to make FreeRADIUS rewrite/force an "Access Denied" reply into an "Access Accept" reply? Why on earth would I want this? Well, I would like to i.e. give a guest-net Vlan back to users that actually fail authentication, so that when they try to access the web they will instead get connected to a redirected guest-information webpage. - or does anyone have an idea of how such a functionality can be achieved through some kindof magic? We're using lightweight AP's connected to Cisco WISM controllers. - Erling Paulsen
into an "Access Accept" reply? Why on earth would I want this? Well, I would like to i.e. give a guest-net Vlan back to users that actually fail authentication, so that when they try to access the web they will instead get connected to a redirected guest-information webpage.
I haven't tested this, but maybe it could be possible with the following setup: * At the end of your 'users' file, define a DEFAULT rule that enforces Auth-Type = Always-Ok - Check that this rule is only used for WiFi accesses - Enforce a Radius profile that apply the correct VLAN settings * Then in your radiusd.conf define the Auth-Type Always-Ok section as to reply always ok (it might be possible by having a look at the setups described in configurable-failover doc) There might be easier way to do so though, I let FR gurus comment. Thibault
Hi; Is there any way to configure in the radius database, the modulation for a user? Ex: if I want to oblige a user to open a dial up session, on a certain modulation, V92 for example (or V90, or V34), can it be done in the radius database using a certain entry? Thanks Elie Hani
Elie Hani wrote:
Hi;
Is there any way to configure in the radius database, the modulation for a user? Ex: if I want to oblige a user to open a dial up session, on a certain modulation, V92 for example (or V90, or V34), can it be done in the radius database using a certain entry?
Thanks Elie Hani
Hi Elie, I suppose it's possible if your NAS supports it, but don't your modems automatically negotiate that? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
Hi James; My customers do negotiatie it automatically, and on the NAS it can be done for all users, but I was wondering if it can be done on the radius database for predefined users. Thanks James. Kind Regards Elie -----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of James Wakefield Sent: Friday, November 17, 2006 3:47 PM To: FreeRadius users mailing list Subject: Re: Configuring the modulation Elie Hani wrote:
Hi;
Is there any way to configure in the radius database, the modulation for a user? Ex: if I want to oblige a user to open a dial up session, on a certain modulation, V92 for example (or V90, or V34), can it be done in the radius database using a certain entry?
Thanks Elie Hani
Hi Elie, I suppose it's possible if your NAS supports it, but don't your modems automatically negotiate that? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Erling Paulsen wrote:
Hi.
Is it possible to make FreeRADIUS rewrite/force an "Access Denied" reply into an "Access Accept" reply? Why on earth would I want this? Well, I would like to i.e. give a guest-net Vlan back to users that actually fail authentication, so that when they try to access the web they will instead get connected to a redirected guest-information webpage.
- or does anyone have an idea of how such a functionality can be achieved through some kindof magic?
We do a similar thing, but the logic is a little more complicated. I had to write a module to do what I wanted, which I call from the Post Auth phase. Our module retrieves a "Captive Portal" network access profile out of LDAP and sets the response code to Access-Accept. The major problem with modifying the response code in the post-auth section is that the authentication result has already been written to radiusd.log at that stage (in version 1.0.1) so it starts to make the log files difficult to interpret. So, its definitely possible to do what you want, make it may take a reasonable amount of effort. cheers, Mike
participants (5)
-
Elie Hani -
Erling Paulsen -
James Wakefield -
Michael Mitchell -
Thibault Le Meur