Your comments are very interesting, I will consider them as much as I know how.
Yes, the NASs are wireless access points on steroids, and they get bandwidth-throttling information from RADIUS along with Accepts/Rejects. Re: the NASs not identifying themselves - yes, I thought that being able to separate requests of one from the other would be another solution. But I couldn't see how to do that - the information you have in front of you represents the sum total of my experience with RADIUS. You mention a NAS that IDs itself, but I don't know what that looks like - can you forward an example? I'll look for examples of that myself, but...this is why I need help, I'm clueless over here. Re: guessing at a MAC - you're absolutely correct, but that's a problem for down the road. Right now, I need to be able to add and disable users in one place (as opposed to the ACLs of many different APs). Your comments about getting features are well taken. To date, we've been operating in "no cost", open-source mode. I will pass your suggestion along. Your comments re: "smart" - well, I am trying to learn as I go. I haven't had anybody with a working, large scale, scalable RADIUS implementation invite me into the inner sanctum and show me how it all fits together. Somehow, I'm not holding my breath for that one...so resources like this list are all I've got. Thank you for taking the time to reply, I appreciate it. > Brian Ammons wrote: >> We are a WISP, we have freeRadius running with mySQL. The NASs that >> currently use RADIUS (SmartBridge XOs) transmit the CPE's MAC address >> as >> both UserName and Password. We have new and better NASs (MikroTik) >> that transmit the CPE's mac address as the UserName, but with a >> "null" password. What we want is "simple" - for both NASs to validate >> off of RADIUS. BUT because of the difference in Passwords, the same >> entry in RadCheck won't do it. > > I'm just guessing that the reason that the NAS itself is trying to > authenticate is to have it download some configuration items via radius in > the access-accept. > Maybe you should question the fact that your NASes aren't able to identify > themselves. > If I knew one of the MACs, I could get authenticated at your radius or > even > worse, I could just try until I find a correct MAC address. > Maybe there's no issue in security, but in my opinion... what you're > trying > to do doesn't look like anything smart. > Try to understand what's wrong in your design and figure out a solution, > even if it means replacing several devices (you say you're a WISP, so you > should go for solid things, maybe by getting features from your device > manufacturer). > > -- > Regards, > > Thor Spruyt > E: [EMAIL PROTECTED] > W: www.thor-spruyt.com > M: +32 (0)475 67 22 65 > Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - > Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot > service op www.telenet.be/hotspots > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
