MAC Authentication - Bad Idea?
Jim Rice
jmrice6640 at yahoo.com
Wed Feb 2 21:36:50 CET 2011
Thanks for the tip, Schilling.
We wanted to provide a "splash page" for unauthenticated access attempts.
This helps to answer a whole other list of questions on "how" to do that.
Jim
--- On Wed, 2/2/11, schilling <schilling2006 at gmail.com> wrote:
> From: schilling <schilling2006 at gmail.com>
> Subject: Re: MAC Authentication - Bad Idea?
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Date: Wednesday, February 2, 2011, 11:32 AM
> We implemented MAC authentication
> with netreg at
> http://netreg.sourceforge.net. We used DHCP/DNS/HTTP
> piece from
> netreg. It's essence is DHCP/DHS/HTTP on one server.
> Basically there will be a vlan we called sandbox
> with ip
> helper-address pointing to sandbox.foo.edu. The DHCP
> is configured to
> have DNS pointing to sandbox.foo.edu too. bind is
> configured to
> resolve everything to sandbox.foo.edu. HTTP is configured
> with dynamic
> webpage as explained later on.
>
> The logic is like the following
> if (mac not in your database ) {
> send back a sandbox vlan
> #user open any webpage will get redirected to
> single server
> }
> else if (mac in your database) {
> if (user blocked ) {
> sendback sandbox VLAN
> }
> send back regular vlan name with additional
> attribute as you want
> }
>
> On the web server, if you are here, you are either
> unregistered or
> registered but blocked. We have dynamic webpage to do the
> following
> things
> #mac not registered
> #user webpage to get IP, then use IP to get MAC from DHCP
> lease file
> if (MAC not in database ) {
> webportal of login with (ldap, ssh,
> ftp) backend,
> mac address will be populated in the
> database.
> }
> #mac in database but blocked
> else {
> display the mac is blocked and
> call helpdesk
> }
>
> We use this to gain a lot of knowledge/experience on dot1x,
> and are
> now moving toward 802.1x.
>
> Schilling
More information about the Freeradius-Users
mailing list