Brian Ertel wrote:
I have freeradius working with a Cisco 2000 series controller. A wireless client attempts to associate with a WAP the controller sends an auth request to freeradius who sees the mac address of the user:
00:0e:35:1c:e0:52 Auth-Type := Local, User-Password == "testing"
Don't set Auth-Type. User "Cleartext-Password := ...", not "User-Password == ..."
That puts the user in vlan 157, great, it works. So that is for a user whose mac address is known. Now I'd like to work with unknown users. The trouble is once one enable mac address filtering on the Cisco it will alway call to radius. Is there away to allow all MAC addresses to be accepted in the "users" config similar to the above?
List all known MAC addresses first. Then, do: DEFAULT User-Name =~ "([0-9a-fA-F]:)5[0-9a-fA-F]", Auth-Type := Accept ... vlan stuff i.e. forcing acceptance or rejection of a user is one of the few times that setting Auth-Type is permitted.
That way I could throw all unkown users into a restricted access vlan which redirects them to a registration page which in turn takes their mac address and injects it into freeradius thus making them a "known" user and puts them in a normal access vlan...
Yup. That's a common configuration. Alan DeKok.