Virtual Server per VLAN authentication

[Alan DeKok]

On Nov 13, 2017, at 3:54 AM, Arnaud Forster <arnaud.forster at mwprog.ch> wrote:
> 
> First of all, sorry for my bad english; so I'm going to try explaining as simple as possible... so let me know if you dont undestand what I say
> I found a post here which is nearly the same as my problem : http://lists.freeradius.org/pipermail/freeradius-users/2010-July/048002.html
> I need to create multiple SSID in a school.
> On my server, I can create virtuals VLAN and attrib a DHCP server for each. My APs are able to manag many SSIDs and I can attrib one different VLAN to each SSID. I made a test and, according to the SSID I connect, I receive a different IP addres
> The freeradius on my server is version 3.04. It's connected to a LDAP server. Everything is working fine; people can connect to the SSID using their user/password. But now, I'd like that some users can only connect to specific SSID/VLAN ; for example, I'd like to create a Teachers SSID and only user belonging to group 'teachers' (in my ldap server) can connect to it.
> Is possible to do that ?

  Yes.  Typically you map LDAP groups to SSIDs.

- be sure you have "rewrite_called_station_id " in raddb/policy.d/canonicalization.  If not, upgrade to 3.0.15
- list "rewrite_called_station_id " in the "authorize" section of raddb/sites-enabled/default

  This gets the SSID out as something useful, instead of being buried inside of another attribute.

  Then, just check for SSIDs and LDAP groups.  Put this into "authorize", after the "rewrite_called_station_id" entry:

	if (Called-Station-SSID == "ssid1") {
		if (LDAP-Group != "teachers) {
			reject
		}
		update reply {
			... VLAN information ...
		}
	}
	elsif (... other called-station-ID check) {

  That's simple enough.

> On my server, each virtual VLAN has it's own IP address ; could I use it for my authentication  ?
> As i'm completely a beginner in the freeradius world,,, sorry if my question is stupid

  It's fine.

  Alan DeKok.