Radius mac filter exceptions

UCS - Univention Corporate Server
#1

I’ve a cisco wlc with 2 ssid’s going to ucs for radius auth.
lets’ call them ‘no-mac-auth’ and ‘mac-auth’.

now we want to add mac filtering to radius via radius/mac/whitelisting to the ‘mac-auth’ network but for ‘no-mac-auth’ network also radius auth but without mac filter - only user/pass.

I’ve already tried to add a ucr registry policy with radius/mac/whitelisting: false on a ldap ou container but it seems the radius/mac/whitelisting is a global parameter and has no effect anywhere else.

Is this scenario even possible with ucs ?

#2

Same here with FortiAP.

#3

Hello,

@boospy @6uellerBpanda any of you are able to get this working?

#4

Yes it is working here fine a long time. Here my howto: prebuilt_systems:ucs:radius_macadressenkontrolle_fuer_wlan_ueber_ldapauth_mit_fortinet_accesspoints [DEEPDOC.AT - enjoy your brain]

1 Like
#5

@boospy thanks for the link… i assume the first code is a little bug usr instead or ucr.

I can’t understand german so i use google translate.

One more question, do you know how to use if possible vlan? From the docs it will be possible in ucs5 but i still use ucs 4

Also in your example the

cp /etc/freeradius/3.0/mods-enabled/ldap /etc/freeradius/3.0/mods-enabled/ldap_backup_orig

Should’nt be used at least for now the ldap file is a symbolic link and eexcute that command will duplicate the ldap module

Thanks

#6

@boospy isn’t clear to me how it will allow two ssids…

#7

The vlan and ssid configs here are only on the Fortigate Firewall/Fortiap’s. With UCS LDAP Groups i can allow them. Did you mean that?

#8

@boospy nop.

What i’m try is have only have one ssid and based on device/user/group set the vlan id
in UCS 5 that is possible via GUI … but i’m sill on UCS 4
image

From your example you must have one ssid for each vlan id right?

#9

Yes sorry. that is what i have confgured here.

Mastodon