I have a situation where I have a wireless controller that services
multiple wireless networks (vlans).  When the controller contacts the
RADIUS server with an authentication request, it does so with the IP
address of the controller as the client address.  The problem is I have a
guest network that has lower security than my other wireless networks.  The
guest network has it’s own user/password database stored in the controller,
but the way authentication occurs is that it checks RADIUS for the user
first and assumes it will fail, then will use the internal database.  The
issue with this is that if one of my users jumps on the guest network, they
are authenticated which is not what I want to happen.  Looking at the logs,
I noticed that all the guest network users have the IP address of the
client in the “cli” field.  My guest network is a totally different VLAN
and IP subnet.

Is there a way to key off of the “cli” field and then make it so that all
requests from clients with a specific subnet in this field are not
authenticated?  This would stop my internal users from connecting, but
allow the correct users (those in the internal DB) to still get connected.

 CONFIDENTIALITY NOTICE:  This e-mail may contain trade secrets or
privileged, undisclosed or otherwise confidential information. If you have
received this e-mail in error, you are hereby notified that any review,
copying or distribution of this message in whole or in part is strictly
prohibited. Please inform the sender immediately and destroy the original
transmittal. Thank you for your cooperation.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  • [no subject] markcapelle
    • RE: King, Michael

Reply via email to