Hi, > The one thing that your suggestion doesn't prevent is the device > association with the access point. It will move the device into the > ether but not until after the device has gone through authentication ( > mac auth in this case ) on the open ssid, on the access point. I just > don't even want the device to associate. I can do it with an > association ACL on the access point, but I would like to manage it all > in one place. If I could tie a violation to the radius auth so that > when you see "handling radius autz request: from switch_ip" it would > send a auth reject message instead of an accept message, there by > preventing the device from associating. Obviously this would only work > with violations based on VENDORMAC. If you want to prevent association, we can overload our getRegistrationVlan to deny it (ie returning -1 instead of a VLAN id). The RADIUS authz will be rejected, and the user won't be able to associate.
Thanks! -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
