Cisco AP Vlan assignment when proxying EAP-PEAP?

Guy Davies Guy.Davies at telindus.co.uk
Wed Nov 9 16:16:15 CET 2005


You could do this on IOS based APs by creating multiple SSIDs.  You can
have a secured SSID that connects to your protected VLAN.  Then, you
could have an appropriately named SSID (NEWUSERSSTARTHERE ? :-) that is
unencrypted and unauthenticated.  It is associated with a walled garden
VLAN with some kind of web capture device so that when the user connects
and opens their browser, they're redirected to your webpage with
instructions on how to download the client and configure it.  They then
get reassociated to the secured SSID.

Other vendors do this more elegantly by providing the ability to specify
a "last-resort" VLAN to which users are dumped if they fail
authentication via EAP.  The main difficulty is that an SSID that
supports EAP is encrypted whereas you need an unencrypted SSID for a
last-resort type user.  So you generally end up with different SSIDs
anyway.

Rgds,

Guy 

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of Josh
Howlett
Sent: 09 November 2005 14:39
To: FreeRadius users mailing list
Subject: Re: Cisco AP Vlan assignment when proxying EAP-PEAP?

Hi Jezz,

> Do you have any cunning solutions to how you might get around the 
> reject issue?
> I'd imagine it's quite a common scenario, IE wanting to let users know

> that they are doing something wrong as opposed to just rejecting them.

Not really. FWIW, I think that a module that caught proxied packets
(such as Access-Rejects) and converted them into other packet-types
(such as Access-Accepts) would be very useful.

best regards, josh.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us. 






More information about the Freeradius-Users mailing list