On Thu, 9 Nov 2006, David E. Smith wrote:
My ideal scenario would be something like this:
* The AP runs a DHCP server and talks to a RADIUS server (that's
easy)
Yup. (assuming Mikrotik)
* When a client associates, do a RADIUS lookup to see if they
should be allowed to associate (that's easy too)
Yup. You can do this with Wireless OR DHCP requests (for DHCP, the
mac addy is sent as User-Name with no password)
* Give the CPE an IP address from one subnet, then give "whatever
else is there" an IP from a different subnet (that's the tricky
part)
This is not that tricky, really. Again, I am assuming Mikrotik
(since you said you were trying to better the network. ;-)).
Anyway, the way the MT will handle this (for dhcp) is:
1. If you have a static entry for the MAC, it will use those
parameters - no radius check is done
2. If you DON'T have a static entry, MT will check radius for that
user. If a NO answer is received, then the user is NOT given an IP.
What you have to do is use a "default" profile in the radius server.
I know that FreeRadius supports this, but not sure if others do. If
your radius server supports handling the IP pool (I think FreeRadius
does), then you can assign IP addresses from that pool for one group
of users. If there is no "Framed-IP-Address" in the access accept
packet, then the MT will use the pool assigned for the dhcp server
under "/ip dhcp-server network". This gives you some pretty good
options. Even if your radius server does not support the pool
option, you can assign each user in the RADIUS a static IP via the
"Framed-IP-Address" attribute and then have the "default" profile
simply not return that attribute (thereby using the "default" pool
set up on the MT).
This is made even more complicated by the fact that many of our CPE
are Senao CB3 units, which do MAC cloning and I don't think you can
turn it off. (Basically, both the CPE and the customer's router, or
whatever, show up in my tower as having the CPE's MAC.)
The DHCP server SHOULD see the MAC of the device making the request.
I believe it is the MAC inside the request (not the source mac
address) that is sent to the radius server for authentication.
Is this even possible?
Hope this helps answer that question. :-)
--
Butch Evans
Network Engineering and Security Consulting
573-276-2879
http://www.butchevans.com/
Mikrotik Certified Consultant
(http://www.mikrotik.com/consultants.html)
--
WISPA Wireless List: [email protected]
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
