Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRADIUS - Auth-Type :=Accept - Am I doing this correctly?

    Scheduled Pinned Locked Moved
    pfSense Packages
    1
    1
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      OffstageRoller
      last edited by

      I have 2 SSID's on my network.

      1. WPA2-Enterprise
      2. WPA2-PSK

      Both networks are using FreeRADIUS from pfSense as their radius server.

      The first network is WPA2-Enterprise and my clients mostly auth with EAP-TLS, although a few use PEAP because I can't get certs on those devices. This works.

      The second network uses WPA2-PSK, and I configured UniFi to use Mac Authorization:

      1451e9e4-4f8d-4e49-b630-4fb728f8c119-image.png

      Within the FreeRADIUS package for pfSense I configured nothing under the MACs section of the package. However, I did add each of my clients as a user under the Users section. I entered the MAC address of each client for the username and password for that user, and then specified the VLAN I want that user assigned to.

      Up to this point, everything works how I expect. But here's where I need some help. If a user is able to connect to this WPA2-PSK network but I don't have a matching MAC address for them in my FreeRADIUS users table, I still want them to connect and go onto a VLAN (666) for unknown devices where I can have ARP Watch notify me about it.

      In order to get that working, I added an additional user with no username and password, a VLAN of 666, and in the Additional RADIUS Attributes on the TOP of this entry section I added the following:

      DEFAULT NAS-Port-Type = Wireless-802.11, Auth-Type :=Accept

      08729784-0157-4843-ae08-32958e557f86-image.png

      This gets me the result I was hoping for, but I wanted to know if that's the correct way to do this? I'm not 100% sure about this. For example, if that user is above my users that use EAP-TLS, those users can no longer authenticate. But if this user with VLAN 666 is at the bottom of my user list, everything works how I want it to.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post