"Chris Bshaw" <[EMAIL PROTECTED]> wrote: > 1. I have read that I can have freeradius run a script via Exec-Program-Wait > at authentication time. I was just wondering would it be possible to use > this to perform a query over IP on the client station (eg: snmp or > something)?
Scripts can do anything you want. > would it be > possible to have freeradius dynamically associate a client station to an > SSID at authentication time? No. The SSID's are done in a layer *below* the layers that FreeRADIUS sees. > My interest in these is because I would like if possible to be able to check > each client station to see if it has the latest patches, virus protection > s/w etc. and if it doesn't I would like to either disconnect it, or dump it > in some kind of quarantine SSID (VLAN)..... For that, you have to wait until the client gets an IP address, which can happen ~1s after the RADIUS authentication. Basically, you can't do these checks until after the RADIUS authentication has succeeded, which means that you can't use the checks to change the RADIUS response. > 3. Is it possible using EAP/TLS to restrict how many times a station with a > particular certificate connects to the wireless net.....i.e. if someone > takes their certificate and installs it on 10 wireless machines, can I > configure freeradius (and/or my access point) so that only one active > wireless connection is allowed for that certificate? You can set Simultaneous-Use on the server, which will do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
