Same MAC Address in Multiple Sites with Built-in Radius Server
Hi all,
I'm trying to configure the same MAC address on multiple sites by using the same RADIUS Built-In server, but it errors out saying that this is NOT possible.
The scenario is the following: I have a device (an iPhone in this example) which can be connected to WLAN in my both sites, ofc one site at a time!
However, it seems this is not possible.
Is it a limitation which can be fixed in the future?
Thank you,
Fra
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
nicolati wrote
Hi all,
I'm trying to configure the same MAC address on multiple sites by using the same RADIUS Built-In server, but it errors out saying that this is NOT possible.
The scenario is the following: I have a device (an iPhone in this example) which can be connected to WLAN in my both sites, ofc one site at a time!
However, it seems this is not possible.
Is it a limitation which can be fixed in the future?
Thank you,
Fra
Hi @nicolati
May I know which feature you have applied with the radius server? Could you share some screenshots about the setting page? Please help to confirm more details so that I will try to forward your request. Thanks.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
the problem with the built-in radius server is that if you create a radius account on a site, that user will be able to log in to all sites with a radius server configured. the same applies to usernames, if you create a user, xxx, you cannot create another user with the same name.
so all sites share same radius server, you can also share this radius server with other radius compatible devices, e.g. unifi
this happens if you try to create a user in another site with the same username.
if you have several customers on such a solution, it is important to be aware that a user customer-a can log in to customer-b without problems.
so the solution is not built for cross-site security.
- Copy Link
- Report Inappropriate Content
Hi MR.S,
I understand your point, but in that case I would have expected to have the UI to insert users (MAC Addresses) at Server level, not site level.
Also, in my scenario, it would be ok to have a centralized user list to be used across all sites.
But this also seems not possible.
Thank you,
Fra
- Copy Link
- Report Inappropriate Content
Yes, the whole radius server is a bit wrongly designed, it works well if you know about the limitations, I don't know if TP-Link knows about this even once, I agree with you, users could well be on the radius server, now it's a bit scary since most people think that a Radius user can only log in to the site where the user was created, but that is not the case.
as it is now you can create users in any site you want. then log on to all sites that have radius configuration. e.g. WPA entraprice SSID.
- Copy Link
- Report Inappropriate Content
I can add one thing! :)
Since we can assign VLANs, then what happens when a device is authorized on a site on a certain VLAN (but we know it can access another site) and on the other site that VLAN is something else or even it doesn't exist? :)
@Hank, pls take into consideration a project for R&D when RADIUS server gets unified entirely under Controller side or splitted entirely under the Site side.
Thank you,
Fra
- Copy Link
- Report Inappropriate Content
if you assign a vlan and the vlan is not on the other site, radius will approve login but you will not get an ip or be able to connect to this network.
- Copy Link
- Report Inappropriate Content
I just tried with my iPhone and it works differently...
If I use the original non-private MAC Address, which is registered already on the other site, RADIUS doesn't let me log in.
Instead, if I use the private MAC Address, since it's new, I can register it to the RADIUS profile of this site and it works.
So, my conclusion is that:
- The server is one on the controller
- But the profile is one per site
- But they share the info, so it isn't possible to assign the same MAC Adress to 2 Built-In RADIUS profiles
If this is confirmed, I would ask why? :)
Thank you,
Fra
- Copy Link
- Report Inappropriate Content
I haven't tested with mac autetication but I'm pretty sure there's no difference. Have you turned off random mac address on your phone then? if it is on, you will get a new mac every time you log on to an SSID
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 526
Replies: 9
Voters 0
No one has voted for it yet.