John McDonnell wrote: > I don't know if you have any experience with the 1100 series access points > from Cisco, but they have a setting called EAP and MAC authentication. I'm > not sure how it is implemented, but I would imagine I should just set it > to do EAP and have FR itself do the MAC check as part of the > authorization?
Yes. Having AP's implement policies is a recipe for disaster. > We're not really tracking MACs per se right now, we only require the MAC > to be a valid MAC. We don't check for duplicates. Combined with using WEP, > it currently makes for a very unsecure network, hence why I want to switch > to using certificates. I've learned a lot about how RADIUS, and FR in > particular, works in the past year, but I still have a lot to learn. I > understand a new book on FR has been in the works, which would be a great > help I'm sure. In the meantime, I try to keep track of the users list and > do some reading (a lot of it outdated) on the web. I'm trying to find time to finish the book. :( > I suppose doing the MAC authentication wouldn't really add much overhead > at all if done by the FR server itself and not separate calls from the AP, > so I will look into how to do this. Any pointers or hints would greatly be > appreciated. raddb/modules/mac* They're not examples for RADIUS, but the principles should be the same. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
