Virtual Server per VLAN authentication

Alan Buxey alan.buxey at gmail.com
Tue Nov 14 19:27:25 CET 2017


if you can, do not have multiple SSIDs - instead have one SSID and,
based on username/details/LDAP etc send the client onto a different
VLAN after the authentication - this is one of the best aspects of
802.1X and decent wireless. multiple SSIDs waste airtime.

alan

On 14 November 2017 at 13:23, Alan DeKok <aland at deployingradius.com> wrote:
> On Nov 13, 2017, at 3:54 AM, Arnaud Forster <arnaud.forster at mwprog.ch> wrote:
>>
>> First of all, sorry for my bad english; so I'm going to try explaining as simple as possible... so let me know if you dont undestand what I say
>> I found a post here which is nearly the same as my problem : http://lists.freeradius.org/pipermail/freeradius-users/2010-July/048002.html
>> I need to create multiple SSID in a school.
>> On my server, I can create virtuals VLAN and attrib a DHCP server for each. My APs are able to manag many SSIDs and I can attrib one different VLAN to each SSID. I made a test and, according to the SSID I connect, I receive a different IP addres
>> The freeradius on my server is version 3.04. It's connected to a LDAP server. Everything is working fine; people can connect to the SSID using their user/password. But now, I'd like that some users can only connect to specific SSID/VLAN ; for example, I'd like to create a Teachers SSID and only user belonging to group 'teachers' (in my ldap server) can connect to it.
>> Is possible to do that ?
>
>   Yes.  Typically you map LDAP groups to SSIDs.
>
> - be sure you have "rewrite_called_station_id " in raddb/policy.d/canonicalization.  If not, upgrade to 3.0.15
> - list "rewrite_called_station_id " in the "authorize" section of raddb/sites-enabled/default
>
>   This gets the SSID out as something useful, instead of being buried inside of another attribute.
>
>   Then, just check for SSIDs and LDAP groups.  Put this into "authorize", after the "rewrite_called_station_id" entry:
>
>         if (Called-Station-SSID == "ssid1") {
>                 if (LDAP-Group != "teachers) {
>                         reject
>                 }
>                 update reply {
>                         ... VLAN information ...
>                 }
>         }
>         elsif (... other called-station-ID check) {
>
>   That's simple enough.
>
>> On my server, each virtual VLAN has it's own IP address ; could I use it for my authentication  ?
>> As i'm completely a beginner in the freeradius world,,, sorry if my question is stupid
>
>   It's fine.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list