Freeradius, Cisco WLC, Mac address auth.

Brian Ertel bsertel at amherst.edu
Mon Aug 27 14:18:46 CEST 2007 

Alan,

Thank you for the response.  Was your first input:

 "Don't set Auth-Type.  User "Cleartext-Password := ...", not
"User-Password == ..."

a correction of what I am using or syntax to accomplish the
unknown/known user issue?
In other words which syntax takes care of the unknown users and which
takes care of the known users?  I am still unclear about how freeradius
identifies and returns values for unknown users.

Thank you,

Brian

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of Alan
DeKok
Sent: Monday, August 27, 2007 1:38 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius, Cisco WLC, Mac address auth.

Brian Ertel wrote:
> I have freeradius working with a Cisco 2000 series controller.  A
> wireless client attempts to associate with a WAP the controller sends
an
> auth request to freeradius who sees the mac address of the user:
> 
> 00:0e:35:1c:e0:52 Auth-Type := Local, User-Password == "testing"

  Don't set Auth-Type.  User "Cleartext-Password := ...", not
"User-Password == ..."

> That puts the user in vlan 157, great, it works.  So that is for a
user
> whose mac address is known.  Now I'd like to work with unknown users.
> The trouble is once one enable mac address filtering on the Cisco it
> will alway call to radius.  Is there away to allow all MAC addresses
to
> be accepted in the "users" config similar to the above?

  List all known MAC addresses first.  Then, do:

DEFAULT	User-Name =~ "([0-9a-fA-F]:)5[0-9a-fA-F]", Auth-Type := Accept
	... vlan stuff

  i.e. forcing acceptance or rejection of a user is one of the few times
that setting Auth-Type is permitted.

>  That way I
> could throw all unkown users into a restricted access vlan which
> redirects them to a registration page which in turn takes their mac
> address and injects it into freeradius thus making them a "known" user
> and puts them in a normal access vlan...

  Yup.  That's a common configuration.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list