Problem with Cisco WLC probes in FR 2.2.1
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Oct 7 12:55:22 CEST 2013
On 7 Oct 2013, at 11:31, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> Well you want the probes to go through and hit your backed authentication servers,
>> and your databases, and any external resource.
>
> ..and get a valid user with access accept? bad. you are better off just semding a reject -
> just like RADIUS status server probes. it would be nice if the WISM would do proper
> RADIUS status-server probe instead....but since cisco want you to buy ACS/ISE and that doesnt
> do nice things - then I guess we can live in hope
No. You want a policy in post-auth which checks what happened when the test user's
authentication was processed.
Everything ok:
Access-Reject
Somethings wrong:
Don't respond
And you want to make sure that you have ACLs in place to only allow access to the RADIUS
test user object from the RADIUS test server (obviously :) ).
In regards to upstream proxy servers, i'll echo Alan D's thoughts on this, and say that
it's really the responsibility of a AAA routing protocol.
Though yes, for eduroam checking next hop connectivity is probably useful. Maybe an xlat
method which returns the state of a realm?
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Users
mailing list