"George Heeres" <[EMAIL PROTECTED]> wrote: > I'm planning on my access points running in routing mode instead of > bridged mode which will allow each antenna to have it's own subnet. > User's will be authenticated via 802.1x with FreeRadius against an LDAP > data source. Upon authentication, I'll use iptables to setup accounting > and punch holes in the firewall based on the IP address.
A firewall isn't really necessary. The AP already forbids anyone to use the network until they authenticate. And once they authenticate, it shouldn't matter which IP they get. > For simplicity, I'm just using the users file to get things working > and tested without worrying about incorrect LDAP queries, parameters, > etc. That's the best approach. > I have the 802.1x authentication working, however I'm stuck trying > to determine how to handle the IP address allocation. Two options that > I am aware of include: DHCP server or internally managed IP Pools with > FreeRadius. I think your only option is DHCP. The AP won't use any IP sent to it by FreeRADIUS. > The problem I'm having is during a DHCP request I don't know much > about the request except for a MAC address. Since all the > authentication has already taken place via FreeRadius... I don't > have any of the necessary information to dynamically setup the > iptables firewall / traffic shaping? Who is this person? What speed > should they be?, etc.? You'll have to find a way to make the firewall communicate with FreeRADIUS (or the otehr way around). Maybe an external script, to send the firewall the MAC address & user information... > Is it possible to use the ippool module with EAP? It's not possible to assign IP addresses via EAP. > Before I hurt myself and code the DHCP extensions, does anyone know > what I might be doing wrong with the rlm_ippool module and / or user > settings. Or is there some other alternative that I haven't considered? > If I can avoid having to dust off the C programming manual, that would > be great. Shell scripts. FreeRADIUS knows who the user is, and may also know the MAC address. So use a shell script in FreeRADIUS to send that information to the firewall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html