chilli features...
wlan at mac.com
wlan at mac.com
Fri Dec 28 13:10:07 UTC 2007
>> Right now, when you use MAC authentication, if an access-reject is
>> returned, the user will still get assigned an IP address and will
>> then be given the captive portal. This is good as a way to have
>> certain devices bypass the captive portal. But, it would also be
>> nice to use MAC authentication as a way to manage blocked devices.
>> I'm considering an option which will have chilli drop all traffic
>> from clients that get an access-reject during mac authentication.
>> When clients are in the 'drop' state, all traffic from them is
>> ignored.
> We have considered this as well, though I think it's better do
> manage blocked devices based on a MAC blacklist in the radius
> backend. Otherwise those people whose MAC authentication
> legitimately fails (e.g. because they haven't registered theirs yet
> through some sort of web frontend) get blocked permanently.
Yes, giving out an access-accept vs. -reject is the decision of the
RADIUS server - so the MAC list will be there. The idea is that all
devices not on the list will get an access-accept (in one form or
another). The RADIUS server can issue:
- Access-Accept (Full access)
- Access-Accept + "require UAM" or Splash option
- Access-Reject (Zero access)
This would be an option, not the default. The default will remain as
it... which is that a reject still gives walled garden access during
MAC auth.
David
More information about the Chilli
mailing list