King, Michael
MKing at bridgew.edu
Thu Mar 15 15:55:55 CET 2007
What manufacturer makes the NAS (the wireless controller?)
I would look to the Called-Station field. Usually (Based on Cisco AP's) this is the MAC of the AP, followed by the SSID they connected to.
> -----Original Message-----
> From:
> freeradius-users-bounces+mking=bridgew.edu at lists.freeradius.or
> g
> [mailto:freeradius-users-bounces+mking=bridgew.edu at lists.freer
> adius.org] On Behalf Of markcapelle at pcmc.com
> Sent: Thursday, March 15, 2007 10:48 AM
> To: freeradius-users at lists.freeradius.org
> Subject:
>
> I have a situation where I have a wireless controller that
> services multiple wireless networks (vlans). When the
> controller contacts the RADIUS server with an authentication
> request, it does so with the IP address of the controller as
> the client address. The problem is I have a guest network
> that has lower security than my other wireless networks. The
> guest network has it's own user/password database stored in
> the controller, but the way authentication occurs is that it
> checks RADIUS for the user first and assumes it will fail,
> then will use the internal database. The issue with this is
> that if one of my users jumps on the guest network, they are
> authenticated which is not what I want to happen. Looking at
> the logs, I noticed that all the guest network users have the
> IP address of the client in the "cli" field. My guest
> network is a totally different VLAN and IP subnet.
>
> Is there a way to key off of the "cli" field and then make it
> so that all requests from clients with a specific subnet in
> this field are not authenticated? This would stop my
> internal users from connecting, but allow the correct users
> (those in the internal DB) to still get connected.
>
> Thanks.
> CONFIDENTIALITY NOTICE: This e-mail may contain trade
> secrets or privileged, undisclosed or otherwise confidential
> information. If you have received this e-mail in error, you
> are hereby notified that any review, copying or distribution
> of this message in whole or in part is strictly prohibited.
> Please inform the sender immediately and destroy the original
> transmittal. Thank you for your cooperation.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list