[ previous ] [ next ] [ threads ]
 From:  Dave McCammon <davemac11 at yahoo dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] disable mac filtering and radius
 Date:  Fri, 30 Dec 2005 14:52:02 -0800 (PST)
--- Jonathan De Graeve <Jonathan dot De dot Graeve at imelda dot be>

> > Is the MAC filtering supposed to work if one is
> using
> > a RADIUS server?
> Yes

Thank you.

> > 
> > To make sure I'm reading it correctly, if the
> check
> > box isn't checked(on captive portal page) then
> > m0n0wall will be attempting to make sure that a
> logged
> > in user's mac address doesn't change while they
> are
> > logged in. Does this work,relationship-wise, mac
> > address to username or mac address to ip address?
> Ip<->mac which are 'owned' by a user
> <SNIP>
> If this option is set, no attempts will be made to
> ensure that the MAC
> address of clients stays the same while they're
> logged in. This is
> required when the MAC address of the client cannot
> be determined
> (usually because there are routers between m0n0wall
> and the clients). If
> this is enabled, RADIUS MAC authentication cannot be
> used.
> </SNIP>
> If you read it well, this option needs to be turned
> on if the m0n0wall
> box will be unable to correctly pair the mac/ip.
> Then m0n0wall won't set
> a filter on mac/ip. In the same situation all mac
> authentication systems
> will be disabled since if its not possible to
> retrieve the correct
> mac/ip pairs it aint logical to do mac
> authentication (wether its local
> or radius)

I was making sure it was IP<->MAC, which you pointed
out, thank you.
The "MAC address of clients stays the same while
they're logged in." part is what I was questioning. It
wasn't clear to me if it meant that the IP<->MAC combo
can't change while the user is logged in or the
Userid<->MAC combo couldn't change while user is
logged in.I was associating "logged in" with userid.

> > 
> > Basically, I have a setup with a RADIUS server and
> I
> > have given out a userid/password pair for a
> company to
> > use for two days only. I still want to use the
> > MAC authentication stuff for our other
> "registered"
> > users.
> No prob
> > 
> > I was able to login ok using two different pc's
> with
> > the same userid/password pair. 
> Sure, you haven't 'disable concurrent user logins'
> enabled

This is what I wanted to happen but the way I was
interpreting the above explanation about MAC address
filtering, I feared that I may have missed something
when I copied the relevent code changes from the
enhanced RADIUS2 images to make a WRAP image.

> >It works the way I want
> > it but I made the image for a WRAP device
> > myself(needed the RADIUS MAC authentication stuff)
> Which images? Since you are saying RADIUS MAC
> authentication you're
> using one of the betas...
> > and
> > I want to make sure that I haven't screwed
> something
> > up and will lose the functionality with future
> > upgrades.
> Shouldn't be an issue if you didn't change the
> source code, but what are
> your real questions???

You answered them. see above. 

Yahoo! DSL  Something to write home about. 
Just $16.99/mo. or less.