Re: [Help] Is there a way to differentiate devices using Radius?
Sorry for this beginner question. I have read the man_rlm password but dont see example how to add the mac address. can some of you showed to me an example of it? I assume its as simple as key in the MAC address into some file in Radius conf file or something? Thanks Danny On Wed, Mar 13, 2013 at 9:13 AM, Danny Kurniawan < danny.kurnia...@fairchildsemi.com> wrote: > Noted. I guess using the AP to do the MAC filtering is the best options > for me > > On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok wrote: > >> Danny Kurniawan wrote: >> > Is that means we have to manually added the client MAC into radius one >> > by one? >> >> You need *some* method to separate known devices from unknown ones. >> >> How you do it is up to you. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > -- > Best Regards, > Danny > -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Noted. I guess using the AP to do the MAC filtering is the best options for me On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok wrote: > Danny Kurniawan wrote: > > Is that means we have to manually added the client MAC into radius one > > by one? > > You need *some* method to separate known devices from unknown ones. > > How you do it is up to you. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
Thanks! Added line to /etc/hosts: 192.168.1.106 linux-vdis.site linux-vdis and then radtest works. /Staffan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default user authentication
Alright, I will start researching that. Never heard of huntgroups. On Tue, Mar 12, 2013 at 10:51 AM, wrote: > Hi, > > >As I use FreeRadius for my WLAN and LAN I don't want to apply this > policy > >for the wired network. So, using the users file, can I create a > default > >user and attributes that apply only for a certain Calling Station/NAS > ID? > > sure - you could use huntgroups for that policy...or you could use > a different virtual-server for that NAS so that it uses different policies > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default user authentication
Hi, >As I use FreeRadius for my WLAN and LAN I don't want to apply this policy >for the wired network. So, using the users file, can I create a default >user and attributes that apply only for a certain Calling Station/NAS ID? sure - you could use huntgroups for that policy...or you could use a different virtual-server for that NAS so that it uses different policies alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_yubikey
What is Yubikey? --- It's another OTP solution. Why use it? * smsotp is rediculously insecure * otp clients on mobile phones can be compromised * RSA tokens suck. I'll expand on the RSA stuff a bit. Here's why RSA sucks: * You need to install and maintain a special RSA Appliance just to try out the system. * RSA tokens have a limited lifespan, once the battery runs out the token is useless, you need to get it replaced by RSA. * RSA tokens use pre-generated token seeds. These become cryptographically useless if either your servers or RSA servers are compromised [http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/]. * They're not user friendly. Users have to transcribe the numbers and complete authentication before the code changes (something that a suprising number of users seem to find impossible). * The tokens often get out of sync with the RSA server. * The tokens get scratched to the point you can't read the numbers off the screen. The yubikey guys came up with a different solution: * You still have physical token, but its powered by the USB port. * You set the encryption keys (write only), and instead of forcing users to type in a number, it just acts as a HID. When you tap the little button on the face, it enters the OTP string for you. * Instead of using a seed and mutating it synchronously on the token and server, it uses a fixed encryption key to encrypt validation data in the password string. The encrypted data includes replay counters to stop tokens being reused. Although the tokens are kinda expensive $15-$25 if you need a really secure OTP system probably worth giving them a trial. Why am I going on about Yubikey ? --- Just finished an rlm_yubikey implementation. I know there were a couple of implementations on the net already, but they were pretty poor. There was a C one: https://code.google.com/p/freeradius-yubikey-module/ But... Well... asside the code... in general... it used its own weird config system for recording keys, values and replay data, so couldn't integrate with any of the dynamic language modules, sql or ldap. There's also a perl one floating around somewhere, but eww, perl. Here's the config for the new one. The yubikey authorize method acts like PAP, but is more diserning and will only set Auth-Type if it finds a User-Password value which is very likely to be yubikey OTP data. For basic testing: authorize { update control { Yubikey-Key := "0x45a9405b05e956c10257c58dd149c6c4" (the secret key that you set on the token) } yubikey } authenticate { Auth-Type yubikey { yubikey } } You need to handle storing counter values, but it's not exactly hard if you understand what's going on, and pretty site specific anyway. The module will look for a Yubikey-Counter value in the control list, and make sure it's less than the current counter value. Anyway, here's the default config. I'll probably add some sqlite stuff at some point to allow basic replay detection (or if anyone else wants to do that, it'd be appreciated). This is available in FreeRADIUS 3.0 only. https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_yubikey/rlm_yubikey.c -Arran # # This module decrypts and validates Yubikey static and dynamic # OTP tokens. # # The module itself does not provide persistent storage as this # would be duplicative of functionality already in the server. # # Yubikey authentication needs two control attributes # retrieved from persistent storage: #* Yubikey-Key - The AES key use to decrypt the OTP data. #The Yubikey-Public-Id and/or User-Name #attrubutes may be used to retrieve the key. #* Yubikey-Counter - This is compared with the counter in the OTP #data and used to prevent replay attacks. #This attribute will also be available in #the request list after successfull #decryption. # # Yubikey-Counter isn't strictly required, but the server will # generate warnings if it's not present when Yubikey.authenticate # is called. # # These attributes are available after authorization: #* Yubikey-Public-ID - The public portion of the OTP string # # These attributes are available after authentication (if successfull): #* Yubikey-Private-ID - The encrypted ID included in OTP data, # must be verified if tokens share keys. #* Yubikey-Counter- The last counter value (should be recorded). #* Yubikey-Timestamp - Token's internal clock (mainly useful for debugging). #* Yubikey-Random - Randomly generated value from the token. #* Yubikey-Trigger- How the Yubikey was triggered # ('k
Re: radtest failed; IP not found
On 12.03.2013 18:08, Staffan Meijer wrote: > I uncommented the eth0 line in the configuration file when radtest did > not work with the original. > > Using the original configuration file I get; > Listening on authentication address * port 1812 > > and > > linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123 > radclient:: Failed to find IP address for linux-vdis.site > radclient: Nothing to send. your server's name resolution configuration is somewhere wrong. if you replace localhost by 127.0.0.1 it should work. fix your /etc/host, but this is beyond the scope of this list. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
Le mardi 12 mars 2013 à 18:08 +0100, Staffan Meijer a écrit : > I uncommented the eth0 line in the configuration file when radtest did > not work with the original. > > Using the original configuration file I get; > Listening on authentication address * port 1812 > > > and > > > linux-vdis:/etc/raddb # radtest testing password localhost 0 > testing123 > radclient:: Failed to find IP address for linux-vdis.site That's a DNS issue, not a Freeradius issue. > radclient: Nothing to send. > > > > /Staffan > > > > > -- > > Olivier Beytrison > Network & Security Engineer, HES-SO Fribourg > Mail: oliv...@heliosnet.org > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
I uncommented the eth0 line in the configuration file when radtest did not work with the original. Using the original configuration file I get; Listening on authentication address * port 1812 and linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123 radclient:: Failed to find IP address for linux-vdis.site radclient: Nothing to send. /Staffan > > > > > -- > > Olivier Beytrison > Network & Security Engineer, HES-SO Fribourg > Mail: oliv...@heliosnet.org > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default user authentication
I am using FreeRadius for 802.1x on my wireless LAN (cisco WLC device). This is an older device and as such doesn't allow for guest or restricted VLANs like a physical switch does. One solution I saw online in a Cisco forum is to have a default user that returns the guest VLAN attribute for any failed authentications (so essentially never fail, just always return ACCEPT-ACCEPT for the default user). As I use FreeRadius for my WLAN and LAN I don't want to apply this policy for the wired network. So, using the users file, can I create a default user and attributes that apply only for a certain Calling Station/NAS ID? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
On 12.03.2013 17:05, Staffan Meijer wrote: > Listening on authentication interface eth0 address * port 1812 > Listening on accounting address * port 1813 > Listening on command file /var/run/radiusd/radiusd.sock > Listening on authentication address 127.0.0.1 port 18120 as server > inner-tunnel > Listening on proxy address * port 1814 freeradius is listening on eth0 port 1812, not on all interfaces. so sending packets to localhost won't work. netstat -puln | grep radius will show exactly where freeradius is listening if really. Fix your listen section and it should work Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest failed; IP not found
Hi, I am using FreeRadius Version 2.1.12 on OpenSuse 12.2. I have looked at several posting about the same type of problem without finding the answer to my failure. Problem described below. First use of radiusd -X resulted in /var/run/radiusd not found. Created : mkdir /var/run/radiusd Now radiusd -X seems to work; see attachment "radiusd.txt" for the output. First line in "/etc/raddb/users" is: testing Cleartext-Password := "password" Using radtest failed: linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123 radclient:: Failed to find IP address for linux-vdis.site radclient: Nothing to send. Pinging localhost works: linux-vdis:/etc/raddb # ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.065 ms Is the missing /var/run/radiusd an indication that the installation is incorrect? FreeRadius was installed using Yast2 software manager. /Staffan FreeRADIUS Version 2.1.12, for host i586-suse-linux-gnu, built on Jan 9 2013 at 12:21 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket-bu including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin"
Re: troubles with eap-peap mschapv2
On 12/03/13 14:23, Bertrand Poulet wrote: Tue Mar 12 15:10:20 2013 : Info: # Executing section authorize from file When you make debug output, please just use: radiusd -X Don't use the other arguments; they just create noise and volume (timestamps) that are basically irrelevant. Tue Mar 12 15:10:20 2013 : Info: +- entering group authenticate {...} Tue Mar 12 15:10:20 2013 : Info: [eap] EAP Identity Tue Mar 12 15:10:20 2013 : Info: [eap] processing type tls Tue Mar 12 15:10:20 2013 : Info: [tls] Initiate Tue Mar 12 15:10:20 2013 : Info: [tls] Start returned 1 Tue Mar 12 15:10:20 2013 : Info: ++[eap] returns handled Sending Access-Challenge of id 247 to 172.20.100.53 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x131466f213177f9f58f8ed5fb507e76c Tue Mar 12 15:10:20 2013 : Info: Finished request 0. Tue Mar 12 15:10:20 2013 : Debug: Going to the next request Tue Mar 12 15:10:20 2013 : Debug: Waking up in 4.9 seconds. Tue Mar 12 15:10:25 2013 : Info: Cleaning up request 0 ID 247 with timestamp +8 Tue Mar 12 15:10:25 2013 : Debug: WARNING: !! Tue Mar 12 15:10:25 2013 : Debug: WARNING: !! EAP session for state 0x131466f213177f9f did not finish! This fails really REALLY early in the EAP setup. The certs haven't even been exchanged yet. Start checking other things - check the network path, firewalls, MTU, etc. because it doesn't look like you're receiving the PEAP start - just the initial EAP identity. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: troubles with eap-peap mschapv2
Bertrand Poulet wrote: > I've copied old "certs" directory to the new server. > It's still not good. See http://deployingradius.com/ There is detailed documentation for debugging EAP. As in 10-15 pages, with screen shots, instructions for what to do, comments as to what typically goes wrong, and how to fix it. > The supplicant can not connect; > there is like a loop between ra_recv and sending-access-challenge. > the problem is with certs or could it be something else ? The problem is likely the certificates. Debugging it is not hard. Just tedious. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: troubles with eap-peap mschapv2
Le 11/03/2013 , freeradius-users-requ...@lists.freeradius.org a écrit : > Date: Mon, 11 Mar 2013 11:50:17 -0400 > From: Alan DeKok > To: FreeRadius users mailing list > > Subject: Re: troubles with eap-peap mschapv2 > Message-ID: <513dfd39.90...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Bertrand Poulet wrote: >> i try to migrate from FreeRADIUS 1.1.6 (Mandrake) >> to FreeRADIUS 2.2.0 (from source) on ubuntu12.04. > That should be easy. I thought so (from what i read on documentation). > >> The same supplicant and same AP with old FR is ok, >> but not with new FR 2.2.0. >> >> What i've done : >> >> I've installed with ./configure; make; make install >> root@myhost:/usr/local/etc/raddb/certs# make >> openssl dhparam -out dh 1024 > Well... that's the problem. You didn't copy the old certificates > over. Instead, you created new ones. > > Don't do that. Use the old certs. It will work. I've copied old "certs" directory to the new server. It's still not good. The supplicant can not connect; there is like a loop between ra_recv and sending-access-challenge. the problem is with certs or could it be something else ? Thanks. the ouput is : rad_recv: Access-Request packet from host 172.20.100.53 port 1645, id=247, length=172 User-Name = "bertrand" Framed-MTU = 1400 Called-Station-Id = "0014.1bb6.4be0" Calling-Station-Id = "844b.f5b8.d423" Cisco-AVPair = "ssid=ipl_dsi" Service-Type = Login-User Message-Authenticator = 0x508e5e0ee37be030c0d4c6e4002d5b60 EAP-Message = 0x0202000d016265727472616e64 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "642" NAS-Port = 642 NAS-IP-Address = 172.20.100.53 NAS-Identifier = "net-ap-A1-1-53" Tue Mar 12 15:10:20 2013 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Tue Mar 12 15:10:20 2013 : Info: +- entering group authorize {...} Tue Mar 12 15:10:20 2013 : Info: ++[preprocess] returns ok Tue Mar 12 15:10:20 2013 : Info: ++[chap] returns noop Tue Mar 12 15:10:20 2013 : Info: ++[mschap] returns noop Tue Mar 12 15:10:20 2013 : Info: ++[digest] returns noop Tue Mar 12 15:10:20 2013 : Info: [suffix] No '@' in User-Name = "bertrand", looking up realm NULL Tue Mar 12 15:10:20 2013 : Info: [suffix] No such realm "NULL" Tue Mar 12 15:10:20 2013 : Info: ++[suffix] returns noop Tue Mar 12 15:10:20 2013 : Info: [eap] EAP packet type response id 2 length 13 Tue Mar 12 15:10:20 2013 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Mar 12 15:10:20 2013 : Info: ++[eap] returns updated Tue Mar 12 15:10:20 2013 : Debug: WARNING: Found User-Password == "...". Tue Mar 12 15:10:20 2013 : Debug: WARNING: Are you sure you don't mean Cleartext-Password? Tue Mar 12 15:10:20 2013 : Debug: WARNING: See "man rlm_pap" for more information. Tue Mar 12 15:10:20 2013 : Info: [files] users: Matched entry bertrand at line 207 Tue Mar 12 15:10:20 2013 : Info: ++[files] returns ok Tue Mar 12 15:10:20 2013 : Info: ++[expiration] returns noop Tue Mar 12 15:10:20 2013 : Info: ++[logintime] returns noop Tue Mar 12 15:10:20 2013 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Tue Mar 12 15:10:20 2013 : Info: ++[pap] returns noop Tue Mar 12 15:10:20 2013 : Info: Found Auth-Type = EAP Tue Mar 12 15:10:20 2013 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Tue Mar 12 15:10:20 2013 : Info: +- entering group authenticate {...} Tue Mar 12 15:10:20 2013 : Info: [eap] EAP Identity Tue Mar 12 15:10:20 2013 : Info: [eap] processing type tls Tue Mar 12 15:10:20 2013 : Info: [tls] Initiate Tue Mar 12 15:10:20 2013 : Info: [tls] Start returned 1 Tue Mar 12 15:10:20 2013 : Info: ++[eap] returns handled Sending Access-Challenge of id 247 to 172.20.100.53 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x131466f213177f9f58f8ed5fb507e76c Tue Mar 12 15:10:20 2013 : Info: Finished request 0. Tue Mar 12 15:10:20 2013 : Debug: Going to the next request Tue Mar 12 15:10:20 2013 : Debug: Waking up in 4.9 seconds. Tue Mar 12 15:10:25 2013 : Info: Cleaning up request 0 ID 247 with timestamp +8 Tue Mar 12 15:10:25 2013 : Debug: WARNING: !! Tue Mar 12 15:10:25 2013 : Debug: WARNING: !! EAP session for state 0x131466f213177f9f did not finish! Tue Mar 12 15:10:25 2013 : Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Tue Mar 12 15:10:25 2013 : Debug: WARNING: !! Tue Mar 12 15:10:25 2013 : Info: Ready to process requests. rad_recv: Access-Request packet from host 172.20.100.53 port 1645, id=247, length=172 User-Name = "bertrand" Framed-MTU = 1400 Called-Station-I
Re: [Help] Is there a way to differentiate devices using Radius?
Danny Kurniawan wrote: > Is that means we have to manually added the client MAC into radius one > by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Login-Time Vs Unix-Time-Based-Login
Hi, Please mind my mistake 1.) "Unix-Time-Based-Login" using unlang rather than "Login-Time" FR attribute. On Tue, Mar 12, 2013 at 11:06 AM, Russell Mike wrote: > Hi Freeradius List, > > Why someone will use "Unix-Time-Based-Login" why not "Login-Time" FR > attribute? Does it offer more flexibility or control over each other. > > Actually, we want to implement login based on time. i am reading mail > archives since yesterday to understand basic functionality of the > model. And have also come across where people are talking about both > techniques. But unable to know what is better way to go with. > > Thanks for attending to this material > > Thanks / Regards > RM -- > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR Login-Time Vs Unix-Time-Based-Login
Hi Freeradius List, Why someone will use "Unix-Time-Based-Login" why not "Login-Time" FR attribute? Does it offer more flexibility or control over each other. Actually, we want to implement login based on time. i am reading mail archives since yesterday to understand basic functionality of the model. And have also come across where people are talking about both techniques. But unable to know what is better way to go with. Thanks for attending to this material Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
On 03/12/2013 01:46 AM, Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? RADIUS can only act on RADIUS attributes. There's no RADIUS attribute that says: Device-Type = "Bosses iPad" Most NASes send username and network address of the client (MAC or IP) and that's about it for optional (non-authentication) stuff. In other words, RADIUS can't differentiate devices - *you* have to do that, by supplying data and policy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Hi, >Is that means we have to manually added the client MAC into radius one by >one? well, you want to restrict it to known devicesso ONE way is to add the allowed MACs to a DB - they could be added to some other lookup table. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html