EAP authentication and DHCP

Alan DeKok aland at deployingradius.com
Sun Sep 27 16:13:28 CEST 2015

On Sep 27, 2015, at 1:15 AM, HernĂ¡n Freschi <hjf at hjf.com.ar> wrote:
> I would like to authenticate WiFi users with EAP and assign an IP address
> based on their username.
> I realize this is a two step process: first, the user must be authenticated
> with EAP. Once this is done, the user will request an IP address via DHCP.
> But there is no connection between the EAP username, and the client's MAC
> address which EAP uses.
> With EAP, the MAC address is the Calling-Station-ID for the Anonymous
> identity. The tunneled identity has no ID.

  Sure.  Just write the inner ID and the outer Calling-Station-Id to SQL.  You may need to create a custom table for this.  You should probably also write the login time, too.

> Is it possible to use the post-auth section to log both username and MAC,
> so the DHCP module can look up the username from MAC address, and assign
> the address from the right pool?


> By default the post-auth module writes two
> records to the radpostauth table: one, from the anonymous identity with the
> Calling-Station-ID set to the MAC address, and another, for the tunneled
> identity, with an empty calling ID.

  You can fix that by editing the configuration files.  That's why they're text.

  Alan DeKok.

More information about the Freeradius-Users mailing list