chilli features...

wlan at wlan at
Fri Dec 28 13:10:07 UTC 2007

>> Right now, when you use MAC authentication, if an access-reject is  
>> returned, the user will still get assigned an IP address and will  
>> then be given the captive portal. This is good as a way to have  
>> certain devices bypass the captive portal. But, it would also be  
>> nice to use MAC authentication as a way to manage blocked devices.  
>> I'm considering an option which will have chilli drop all traffic  
>> from clients that get an access-reject during mac authentication.  
>> When clients are in the 'drop' state, all traffic from them is  
>> ignored.
> We have considered this as well, though I think it's better do  
> manage blocked devices based on a MAC blacklist in the radius  
> backend. Otherwise those people whose MAC authentication  
> legitimately fails (e.g. because they haven't registered theirs yet  
> through some sort of web frontend) get blocked permanently.

Yes, giving out an access-accept vs. -reject is the decision of the  
RADIUS server - so the MAC list will be there. The idea is that all  
devices not on the list will get an access-accept (in one form or  
another). The RADIUS server can issue:

	- Access-Accept (Full access)
	- Access-Accept + "require UAM" or Splash option
	- Access-Reject (Zero access)

This would be an option, not the default. The default will remain as  
it... which is that a reject still gives walled garden access during  
MAC auth.


More information about the Chilli mailing list