Dynamic VLAN and FreeRadius

Joe Vieira jvieira at clarku.edu
Thu May 22 18:12:49 CEST 2008 

HI Joel,

    I think the issue here is that the D-Link AP's you have are rather 
limited.

Radius can not ever assign an SSID because that step occurs before the 
user authenticated.  Wireless starts with an association from the user 
to the AP's SSID from there the AP decides what needs to happen. 

Radius can affect VLAN's (generally at least in the Cisco world with 
'Tunnel-Private-Group-ID', like you meantioned) but you'll never be able 
to force a user to switch SSID's because that is client controlled.

AP's map VLAN's to SSID's internally some allow n to 1  and 1 to n 
relationships, others like your d-links only allow a direct mapping. 

Basically it sounds like you are limited by the constraints of you NAS.

Joe Vieira
UNIX Systems Administrator
Clark University

Joel MBA OYONE wrote:
> Alan,
>
> I possess a device from D-Link (DWS-3024). it is a wireless switch 
> controler, and the documentation says that:
>  - One SSID has to be affect to one VLAN on the profile.
>  - An Access point could be configured with up to 8 ifferent SSIDs and 
> it is possible to affect each SSID on its own network (below is a link 
> which show you the config page) or all SSID on the same network.  
> maybe i didn't read it correctly, so here is the link (see page 89-90 
> and maybe 91 too.): 
> ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf
>
> i asked you stuffs about SSIDs/VLAN cause all my APs (about 30) will 
> receive the same profile, and the profile will have 3 differents SSIDS 
> with diffrents security access levels and network from the wireless 
> switch.
>
> for example, in the same room, associated to the same AP, students and 
> teachers will connect to diffrent SSIDs coming from that same AP, and 
> some will have to athenticate via EAP-PEAP, other will require EAP-TLS.
>
> this other short file explain point to point what is my config and 
> waht i am trying to do:
> ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf
> read it and maybe you could understand me.
>
>
> regards
>
> Joel MBA OYONE wrote:
> >>  No.  VLAN assignment is after SSID association, and after 802.1x
> >> authentication.
> >
> > OK, is it possible to associate in SSID_1 and be assigned to a different
> > VLAN than the we are associated in ?
>
>   That doesn't make sense.  SSID's aren't tied to VLANs, unless you
> configure them that way.
>
> > (exemple, when i am associated to
> > SSID_1, which belongs to VLAN100,
>
>   No... SSID's have nothing to do with VLAN's.
>
> > RADIUS sends me
> > "Tunnel-Private-Group-ID = 200", which belongs to another SSID, what
> > would happen and would authentication process success?)
>
>   Read your NAS documentation to see how to do VLAN assignment, and how
> it interacts with SSID's.
>
> > - if i am assigned to another couple of SSID/VLAN than the one i am
> > connected now by RADIUS, would authentication process restart at the
> > beginning?
>
>   Stop talking about "SSID/VLAN".  They are separate things.
>
>   When you do VLAN assignment with RADIUS, you do NOT need to
> re-authenticate.
>
> > - is it possible to do EAP-TLS, EAP-PEAP and EAP-MD5 without the use of
> > 802.1x when RADIUS is the authentication Server for a supplicant?
>
>   What does that mean?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> __________________________________________________
> Do You Yahoo!?
> En finir avec le spam? Yahoo! Mail vous offre la meilleure protection 
> possible contre les messages non sollicités
> http://mail.yahoo.fr Yahoo! Mail

More information about the Freeradius-Users mailing list