On Thu, 9 Nov 2006, David E. Smith wrote:

My ideal scenario would be something like this:

* The AP runs a DHCP server and talks to a RADIUS server (that's easy)

Yup.  (assuming Mikrotik)

* When a client associates, do a RADIUS lookup to see if they should be allowed to associate (that's easy too)

Yup. You can do this with Wireless OR DHCP requests (for DHCP, the mac addy is sent as User-Name with no password)

* Give the CPE an IP address from one subnet, then give "whatever else is there" an IP from a different subnet (that's the tricky part)

This is not that tricky, really. Again, I am assuming Mikrotik (since you said you were trying to better the network. ;-)). Anyway, the way the MT will handle this (for dhcp) is:

1. If you have a static entry for the MAC, it will use those parameters - no radius check is done 2. If you DON'T have a static entry, MT will check radius for that user. If a NO answer is received, then the user is NOT given an IP. What you have to do is use a "default" profile in the radius server. I know that FreeRadius supports this, but not sure if others do. If your radius server supports handling the IP pool (I think FreeRadius does), then you can assign IP addresses from that pool for one group of users. If there is no "Framed-IP-Address" in the access accept packet, then the MT will use the pool assigned for the dhcp server under "/ip dhcp-server network". This gives you some pretty good options. Even if your radius server does not support the pool option, you can assign each user in the RADIUS a static IP via the "Framed-IP-Address" attribute and then have the "default" profile simply not return that attribute (thereby using the "default" pool set up on the MT).

This is made even more complicated by the fact that many of our CPE are Senao CB3 units, which do MAC cloning and I don't think you can turn it off. (Basically, both the CPE and the customer's router, or whatever, show up in my tower as having the CPE's MAC.)

The DHCP server SHOULD see the MAC of the device making the request. I believe it is the MAC inside the request (not the source mac address) that is sent to the radius server for authentication.

Is this even possible?

Hope this helps answer that question.  :-)

Butch Evans
Network Engineering and Security Consulting
Mikrotik Certified Consultant
WISPA Wireless List: wireless@wispa.org


Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to