LDAP authentication filter based on source SSID

Gustavo Vieira Oliveira gustavov at sc.senai.br
Fri Jul 12 17:29:15 CEST 2013 

Olivier,

You don't need to set "radius-server vsa send" in the AP so it sends the 
SSID in the authentication request?

Atenciosamente,

Gustavo Vieira Oliveira

GETIC - Gerência de Tecnologia da Informação
SUSERV - Superintendência de Serviços Compartilhados

Sistema FIESC
Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC
Fone (48) 32314699 - Ramal 44699
http://www.sistemafiesc.com.br

Em 12/07/2013 12:18, Gustavo Vieira Oliveira escreveu:
> I forgot to say that we use H-REAP so we do not authenticate it in the 
> WLC
>
> Atenciosamente,
>
> Gustavo Vieira Oliveira
>
> GETIC - Gerência de Tecnologia da Informação
> SUSERV - Superintendência de Serviços Compartilhados
>
> Sistema FIESC
> Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC
> Fone (48) 32314699 - Ramal 44699
> http://www.sistemafiesc.com.br
>
> Em 12/07/2013 12:14, Olivier Beytrison escreveu:
>> On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote:
>>> I need some help with RADIUS regarding Wireless authentication with
>>> RADIUS + LDAP.
>> Hello. which version of freeradius are you running ?
>>
>>> I need to check if the user has permission to connect to a specific
>>> SSID, so we check a LDAP attribute for that.
>> Pretty easy
>>
>>> By that, we need to know from which SSID the authentication is being
>>> requested so we use a specific LDAP Filter to search the base and grant
>>> or deny the permission.
>>>
>>> We tried to use two instances of RADIUS, one per SSID, but the Wireless
>>> Controller doesn't seem to support it (supports only one AAA per AP).
>> oh what ?
>>
>>> That's why i'm asking for help in case you people have some 
>>> alternatives
>>> or ideas to solve it.
>>>
>>> The setup is based on Cisco Wireless Controller 5508.
>> I'm also setting up WLC-5508 right now on my side.
>>
>> First, the AAA servers are defined per SSID. So you can specify
>> different radius servers (or simply ports) for each SSID
>>
>> Secondly, you can now customize the NAS-Identifier on a per SSID basis
>> (at least in release 7.4)
>>
>> Finally, the Called-Station-Id will contain the SSID name. If you use
>> the policy rewrite_called_station_id it will populate the attribute
>> Called-Station-SSID with the SSID Name.
>>
>> So all the tools to do it easily are in your hands.
>>
>> Olivier
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list