Freeradius, Cisco WLC, Mac address auth.
Alan DeKok
aland at deployingradius.com
Mon Aug 27 07:37:58 CEST 2007
Brian Ertel wrote:
> I have freeradius working with a Cisco 2000 series controller. A
> wireless client attempts to associate with a WAP the controller sends an
> auth request to freeradius who sees the mac address of the user:
>
> 00:0e:35:1c:e0:52 Auth-Type := Local, User-Password == "testing"
Don't set Auth-Type. User "Cleartext-Password := ...", not
"User-Password == ..."
> That puts the user in vlan 157, great, it works. So that is for a user
> whose mac address is known. Now I'd like to work with unknown users.
> The trouble is once one enable mac address filtering on the Cisco it
> will alway call to radius. Is there away to allow all MAC addresses to
> be accepted in the "users" config similar to the above?
List all known MAC addresses first. Then, do:
DEFAULT User-Name =~ "([0-9a-fA-F]:)5[0-9a-fA-F]", Auth-Type := Accept
... vlan stuff
i.e. forcing acceptance or rejection of a user is one of the few times
that setting Auth-Type is permitted.
> That way I
> could throw all unkown users into a restricted access vlan which
> redirects them to a registration page which in turn takes their mac
> address and injects it into freeradius thus making them a "known" user
> and puts them in a normal access vlan...
Yup. That's a common configuration.
Alan DeKok.
More information about the Freeradius-Users
mailing list