BYOD and base on MAC
Alan DeKok
aland at deployingradius.com
Wed Jan 31 20:59:31 CET 2018
On Jan 31, 2018, at 2:50 PM, Luc Paulin <paulinster at gmail.com> wrote:,
>
> I know that we can do a BYOD wireless setup with freeradius base on if the
> client setup was setup with certificate(EAP-TLS) or not by checking the
> EAP-Type field. But I was wondering would it be possible to do it base on
> MAC adresse.
You can do any checking you want, on any attribute you want. The only restriction is that the attribute has to exist in the packet.
The one minor issue with MAC address is that people can spoof it. But if they already have an EAP-TLS client certificate, that's less of a problem.
> The idea here is that we would like to move user to the appropriate vlan
> base on his device mac. If MAC address is within that list, device is
> granted to the corp vlan, else it'll default to the BYOD clan.
Sure.
> In the post-auth section I did add some lines in order to try do the check
> base on mac addresse
>
> ========
> # We rewrite calling_station_id in order to do mac checkup
> rewrite_calling_station_id
>
> # Check against the authorized_macs file
> authorized_macs
> if (!ok) {
> update reply {
> Tunnel-Type := 13
> Tunnel-Medium-Type := 6
> Tunnel-Private-Group-Id := 155
> }
> }
> else {
> update reply {
> Tunnel-Type := 13
> Tunnel-Medium-Type := 6
> Tunnel-Private-Group-Id := 157
> }
> }
> ========
>
> However look like the authorized_macs always return noop. Am I doing
> something wrong or something not supported?
Post the debug output. And ensure that the MAC addresses are all in the same format.
i.e. you MUST put the MACs into the "authorized_macs" configuration in *exactly the same format* as what you see in the packet.
Alan DeKok.
More information about the Freeradius-Users
mailing list