How to grant some (!) devices access to network but all others have to provide passwords

uj2.hahn at posteo.de uj2.hahn at posteo.de
Fri Dec 27 13:08:11 CET 2019


Thanks to all for help.
For now I'm fine. I might come back to this discussion when I rolled out 
the solution into production.
Thanks
Uwe

On 26.12.2019 15:02, arjun sharma wrote:
> Hi,
>
> if you are fine with EAP-TTLS then well and good else you can follow the
> below
>
> You need to understand the basic like why you are getting prompt to enter
> credentials  and what happens inside when you enter correct credentials.
>
> please read about session-timeout  and mac auth ( mixed with  802.1x )
>
> authorize {
>          preprocess
>          # always check against the authorized_macs file first
>          authorized_macs
>
>          if (!ok) {
>          # Reject if the MAC address was not permitted.
>                  reject
>          }
>
>          # If this is NOT 802.1x, mac-auth
>          if (!EAP-Message) {
>                  # MAC address has already been checked, so accept
>                  update control {
>                          Auth-Type := Accept
>                  }
>          }
>          else {
>                  # Normal FreeRADIUS virtual server config goes here e.g.
>                  eap
>          }
> }
>
> Session timeout can be configured on the RADIUS server so that each client
> can have a different timeout value. The Session-Timeout attribute as
> defined in RFC 2865 is included in the Access-Accept message, and sets the
> maximum number of seconds of service to be provided to the user before
> termination of the session.
>
>
>
> On Tue, Dec 24, 2019, 1:05 AM Alan DeKok <aland at deployingradius.com> wrote:
>
>> On Dec 23, 2019, at 12:12 PM, uj2.hahn at posteo.de wrote:
>>> Thanks, Alan!
>>> I generated brand new certificates and installed them on one Android
>> tablet.
>>
>>    That's good...
>>
>>> But now I'm not sure what the expected use model is:
>>> Can I connect immediately without any credentials or do I have to
>> provide a valid user/passwd once
>>> and it will be saved forever?
>>    If you use EAP-TLS, it shouldn't need a password.
>>
>>    But in the end, this question is for the end user device, not for
>> FreeRADIUS.
>>
>>> When I try to connect I see the WLAN credential form again (although it
>> looks different than before).
>>> So I have to enter some valid credential. Then it is saved. Is this the
>> expected behavior?
>>
>>    Ask the device manufacturer how their systems work.  We didn't implement
>> the UI on the android tablet, and we know nothing about it.
>>
>>> What is the expected message in the debug logfile saying everything is
>> fine with the certificates?
>>
>>    The server sends an Access-Accept.
>>
>>    If something goes wrong the error messages are large and descriptive.
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list