Thanks for the tip, Schilling. We wanted to provide a "splash page" for unauthenticated access attempts. This helps to answer a whole other list of questions on "how" to do that.
Jim --- On Wed, 2/2/11, schilling <schilling2...@gmail.com> wrote: > From: schilling <schilling2...@gmail.com> > Subject: Re: MAC Authentication - Bad Idea? > To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> > Date: Wednesday, February 2, 2011, 11:32 AM > We implemented MAC authentication > with netreg at > http://netreg.sourceforge.net. We used DHCP/DNS/HTTP > piece from > netreg. It's essence is DHCP/DHS/HTTP on one server. > Basically there will be a vlan we called sandbox > with ip > helper-address pointing to sandbox.foo.edu. The DHCP > is configured to > have DNS pointing to sandbox.foo.edu too. bind is > configured to > resolve everything to sandbox.foo.edu. HTTP is configured > with dynamic > webpage as explained later on. > > The logic is like the following > if (mac not in your database ) { > send back a sandbox vlan > #user open any webpage will get redirected to > single server > } > else if (mac in your database) { > if (user blocked ) { > sendback sandbox VLAN > } > send back regular vlan name with additional > attribute as you want > } > > On the web server, if you are here, you are either > unregistered or > registered but blocked. We have dynamic webpage to do the > following > things > #mac not registered > #user webpage to get IP, then use IP to get MAC from DHCP > lease file > if (MAC not in database ) { > webportal of login with (ldap, ssh, > ftp) backend, > mac address will be populated in the > database. > } > #mac in database but blocked > else { > display the mac is blocked and > call helpdesk > } > > We use this to gain a lot of knowledge/experience on dot1x, > and are > now moving toward 802.1x. > > Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
