Yet another multiple SSID setup question
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Tue Jul 12 09:23:40 CEST 2011
Nick, the joy of frees is that you can do this is umpteen different ways.
I would recommend that you use unsung unlang to check the ssid in the request and then proxy that request to a different virtual server to deal with in the way you want
Alan
--
Message may be brief as it has been sent from my mobile
----- Reply message -----
From: "James J J Hooper" <jjj.hooper at bristol.ac.uk>
Date: Tue, Jul 12, 2011 08:19
Subject: Yet another multiple SSID setup question
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
On 12/07/2011 02:50, Nick Kartsioukas wrote:
> I've been looking through the wiki and staring at the config files and
> I'm...confused.
> I've successfully gotten our Cisco WLC to authenticate against
> ActiveDirectory as well as a Sun LDAP server (just one at a time) via
> FreeRADIUS for a single test SSID, but now I'm trying to figure out how
> to split that into conditional checks. Before I go chopping up the
> existing config files and making a horrible mess of things, I wanted to
> verify a few things with the wisdom of the list.
>
> Okay...let's say I have an SSID for students and an SSID for staff.
> Students authenticate against LDAP, which stores passwords as salted
> SHA1 hashes. Staff authenticate against Windows ActiveDirectory.
> I've found where the WLC sends the SSID to FreeRADIUS, so I can get at
> that. My question is, how do I set up the EAP-TTLS/PAP session for the
> Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID?
> Are these configured as different virtual servers? Or just different
> modules that I call from the users file like so:
> DEFAULT Auth-Type := student_module, Called-Station-SSID := "student"
> DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff"
>
> If so how do I set that up, as that would be two different eap.conf
> setups (wouldn't it)? Am I missing something obvious in the docs?
> Thanks for taking the time to help me out!
If they are different SSIDs on the Cisco WLC, you should be able to assign
different radius servers for each SSID. Do that, e.g:
ssid1 -> 192.0.2.1:1645
ssid2 -> 192.0.2.1:1812
Then use a different FreeRADIUS virtual server to handle each (i.e. on
virtual server listening on port 1812 , and one listening on port 1812).
This way you can keep the intricacies of each separate.
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110712/c971077b/attachment.html>
More information about the Freeradius-Users
mailing list