Yes, just use the Cisco AV Pair to say user1 Auth-Type := EAP, Cisco-AVPair := "SSID=SSID1" user2 Auth-Type := EAP, Cisco-AVPair := "SSID=SSID2" That would force user1 to only associate to SSID1 and user2 to only associate to SSID2. You *may* need to change them from being check attributes to reply attributes if your AP doesn't actually send those attributes with an Access-Request. In that case, you send the Cisco-AVPair = "SSID=SSIDn" back to the AP and if it doesn't match, then it can locally fail to authorize the user. Rgds, Guy On 29/03/06, Antonio Matera <antonio.matera@create-net.it> wrote:
Hallo, I have a problem with the authentication on different VLAN.
I write for you my example:
I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and SSID2) on my Cisco 1200 AP. I have the same authentication on both connection (EAP-TLS).
In my users file I have two user:
user1 Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN
user2 Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN
the authentication works fine but , for example, if I connect the WinXP client on the SSID1 with the certificate user of the VLAN2, I have this situation: The client is connected to the VLAN2 but the SSID of the wireless connection is SSID1.
It is possible to prevent the connection to the select SSID if the certificate of the user is incorrect?
Thanks, bye - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html