chilli features...

Gunther Mayer gunther.mayer at googlemail.com
Fri Dec 28 16:12:52 UTC 2007


wlan at mac.com wrote:
>>> Right now, when you use MAC authentication, if an access-reject is 
>>> returned, the user will still get assigned an IP address and will 
>>> then be given the captive portal. This is good as a way to have 
>>> certain devices bypass the captive portal. But, it would also be 
>>> nice to use MAC authentication as a way to manage blocked devices. 
>>> I'm considering an option which will have chilli drop all traffic 
>>> from clients that get an access-reject during mac authentication. 
>>> When clients are in the 'drop' state, all traffic from them is ignored.
>> We have considered this as well, though I think it's better do manage 
>> blocked devices based on a MAC blacklist in the radius backend. 
>> Otherwise those people whose MAC authentication legitimately fails 
>> (e.g. because they haven't registered theirs yet through some sort of 
>> web frontend) get blocked permanently.
>
> Yes, giving out an access-accept vs. -reject is the decision of the 
> RADIUS server - so the MAC list will be there. The idea is that all 
> devices not on the list will get an access-accept (in one form or 
> another). The RADIUS server can issue:
>
>     - Access-Accept (Full access)
>     - Access-Accept + "require UAM" or Splash option
>     - Access-Reject (Zero access)
>
> This would be an option, not the default. The default will remain as 
> it... which is that a reject still gives walled garden access during 
> MAC auth.
I see, sorry, I didn't understand fully what you were trying to achieve, 
now I do. However, I would still say if you want to block a given MAC 
permanently at least you should tell them why they're blocked, something 
that can only be done through UAM as some sort of visual/textual 
feedback on the splash page.

Hmm, come to think of it, UAM blocking would still allow them walled 
garden access, something one might want to block entirely indeed.

In any case, I think such a use case is still too advanced for our setup 
but I'm sure others will find it very useful.

Gunther



More information about the Chilli mailing list