Yet another multiple SSID setup question

Wed Jul 13 10:33:37 CEST 2011

Nick Kartsioukas <lists.freeradius at change.nightwind.net> wrote:
> 
> Thanks for the hints!  I think I've got my eap.conf set up as I need it.
> After some errors from freeradius and further document exploration, it
> looks like what I need for the authorize section is this:
>        rewrite_called_station_id
> 
>        if(Called-Station-Ssid == "staff") {
>                mschap_staff
>        }
>        if(Called-Station-Ssid == "lab") {
>                mschap_lab
>        }
>        if(Called-Station-Ssid == "student_wpa") {
>                ldap
>        }
>        if(Called-Station-Ssid == "student") {
>                ldap
>        }
>
I would *strongly* recommend you run just one SSID and use VLAN 
assignment in post-auth to 
----
post-auth {
  ...

  # defaults
  update reply {
    Tunnel-Type := VLAN
    Tunnel-Medium-Type := IEEE-802
    Tunnel-Private-Group-Id := "unauthorised"

    Termination-Action := RADIUS-Request
    Session-Timeout := 300

    Acct-Interim-Interval := 3600
  }

  if (Ldap-Group == foobar) {
    update reply {
      Tunnel-Private-Group-Id := "staff"
    }
  }
  else {
    ...
  }
}
----

The huge advantage is that *every* user at your organisation can follow 
the same instructions to connect to the wireless (and wired) network.  
It is also then trivial to put in 'eduroam'; if you use 'eduroam' from 
day one (*strongly* recommended to avoid pain down the road). 

Cheers

-- 
Alexander Clouter
.sigmonster says: Youth is the trustee of posterity.