Best way to cope with multiple SSIDs and MAC auth
Franks Andy (RLZ) IT Systems Engineer
Andy.Franks at sath.nhs.uk
Wed Aug 22 09:53:44 CEST 2012
Just in case this helps someone else, I figured it out from trawling Google at midnight!
You need to get the AP to send the vendor specific attributes in the request packet but including the line
radius-server vsa send authentication
in the AP config. It's not there by default obviously.
Thanks, and apologies for sending so many emails in one go.
Andy
-----Original Message-----
From: freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 21 August 2012 22:46
To: FreeRadius users mailing list
Subject: RE: Best way to cope with multiple SSIDs and MAC auth
Just an update : I do see something on the IOS interface :
RADIUS: AAA Unsupported Attr: ssid [263] 8
*May 17 16:47:01.236: RADIUS: 52 53 48 5F 57 69 [RSH_Wi]
I didn't notice it as it's above the actual sent attribute section. The attribute doesn't make it through to the radius server.
Anyone any ideas?
-----Original Message-----
From: freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 21 August 2012 22:34
To: FreeRadius users mailing list
Subject: RE: Best way to cope with multiple SSIDs and MAC auth
Hi - thanks for the reply
I have a relatively new version of IOS and I can't see the attribute coming through, either on freeradius or using the "debug radius" command on the AP. I wonder if it's something you have to set in the AP that's non default.
As an aside, I wonder if there's an internal freeradius attribute that can tell me the port number that an auth request comes through on? If I use the radtest program, I see the NAS-Port being set to 1812, but the Aps don't do this - the NAS-Port attribute is often a random number, not the destination port number..
-----Original Message-----
From: freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of alan buxey
Sent: 21 August 2012 22:21
To: FreeRadius users mailing list
Subject: Re: Best way to cope with multiple SSIDs and MAC auth
Hi,
> Because I am not aware that the cisco IOS can send an “SSID” attribute to
> the radius server (if someone knows how to do this PLEASE tell
> me!), I
yes, it does - the attribute will depend on model and IOS version - but if you run the server in full debug mode then you will see the attribute arrive in the access-request - with the SSID you are looking for present.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list