Not rejecting rejected users
Franks Andy (RLZ) IT Systems Engineer
Andy.Franks at sath.nhs.uk
Thu Jul 24 14:04:12 CEST 2014
Hi all,
Possibly a ridiculous question, but I'll try anyway.
We have freeradius running for wired and wireless clients. On wired
clients, when the radius sends a reject packet to the NAS, all is well
and the client gets rejected. On wireless however, especially with
windows XP machines, the machine will constantly retry connection to the
SSID.
We've dealt with this in the past by hiding the SSID and hoping
non-authenticated people try not to join it. This breaks the
recommendations I believe, and causes certain issues with ipads and so
on, so I wanted to do something different - i.e. dish out a dummy vlan
or special role to the wireless controller. No problems there in
concept, but we were very geared towards accepts and rejects and I now
need to, at several points, do something else instead of outright reject
the client.
Rejects were nice because once auth-type is set to reject, anything else
that could alter the auth-type would not be touched, and lots of
extraneous processing is avoided. Ideally we'd be able to change the
post-auth-type REJECT back into an accept, but that probably isn't going
to work.
Anyone any ideas? I'm sure this has been done before.
I realise we can override the outcome of a specific module but it
doesn't stop processing unless I keep checking an internal control
variable or the like.
Thanks
Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140724/cb5dcc1a/attachment.html>
More information about the Freeradius-Users
mailing list