Best way to cope with multiple SSIDs and MAC auth

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Wed Aug 22 09:53:44 CEST 2012


Just in case this helps someone else, I figured it out from trawling Google at midnight!
You need to get the AP to send the vendor specific attributes in the request packet but including the line
radius-server vsa send authentication
in the AP config. It's not there by default obviously.
Thanks, and apologies for sending so many emails in one go.
Andy

-----Original Message-----
From: freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 21 August 2012 22:46
To: FreeRadius users mailing list
Subject: RE: Best way to cope with multiple SSIDs and MAC auth

Just an update : I do see something on the IOS interface : 
RADIUS:  AAA Unsupported Attr: ssid              [263] 8  
*May 17 16:47:01.236: RADIUS:   52 53 48 5F 57 69                                [RSH_Wi]
I didn't notice it as it's above the actual sent attribute section. The attribute doesn't make it through to the radius server.
Anyone any ideas?

-----Original Message-----
From: freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 21 August 2012 22:34
To: FreeRadius users mailing list
Subject: RE: Best way to cope with multiple SSIDs and MAC auth

Hi - thanks for the reply
  I have a relatively new version of IOS and I can't see the attribute coming through, either on freeradius or using the "debug radius" command on the AP. I wonder if it's something you have to set in the AP that's non default.
As an aside, I wonder if there's an internal freeradius attribute that can tell me the port number that an auth request comes through on? If I use the radtest program, I see the NAS-Port being set to 1812, but the Aps don't do this - the NAS-Port attribute is often a random number, not the destination port number..


-----Original Message-----
From: freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of alan buxey
Sent: 21 August 2012 22:21
To: FreeRadius users mailing list
Subject: Re: Best way to cope with multiple SSIDs and MAC auth

Hi,

>    Because I am not aware that the cisco IOS can send an “SSID” attribute to
>    the radius server (if someone knows how to do this PLEASE tell 
> me!), I

yes, it does - the attribute will depend on model and IOS version - but if you run the server in full debug mode then you will see the attribute arrive in the access-request - with the SSID you are looking for present.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list