Michal Bruncko <michal.bruncko@gmail.com> wrote:
I am using FR with WPA2-Enterprise autentification in Wifi environment with this scheme:
SSID 1 \ SSID 2 --- AP <-- Trunk --> Ruter <-----> FreeRadius SSID 3 /
My goal is to configure different security for different SSID through one freeradius with virtual server feature.
My first question is, if it's possible to have different FR server configuration per SSID on single Access Point? AP have its IP address from specific managemenet VLAN (different from any SSID X VLAN). I know, that on freeradius side can be configuration separated by client IP address, but in my scenario, the IP of radius client is same for every VLAN/SSID, but the only distinguished part in communication is "Called-Station-Id" in Access-Request with form: <radio-mac>:<ssid>.
That's down to your NAS configuration, if your AP (or wireless controller) will let you use a different set of RADIUS servers for each SSID then you are in luck. The solutions I prefer. if I was doing this, either, * one SSID, and depending on the type of authentication used, use that to pick VLAN the user is dropped into * with our infernal Cisco WLC, it does include attributes in all the Access-Request packets telling you which SSID the user is connecting to, you could use this with FreeRADIUS's unlang to call a different EAP instance depending on what you want I personally would opt for the first method (as then your FreeRADIUS and 802.1X logic is identical for *wired* connectivity), however you might have Layer-8 reasons for wanting to go with the multiple SSID approach instead.
Ok, next question which is related a bit to previously one. I have presumted that freeradius cannot distinguishes between requests from different SSID, so I have configured different IP address of Radius server per SSID configuration on AP and all IP addresses are pointed to single radius server and I want to use one virtual server per listen IP address. But how I should to tell FR server, which EAP configuration must apply to which virtual server?
If you have convinced yourself you need to go with the multiple SSID approach, add the following (*untested*) to 'policy.conf': ---- extract_ssid { if ("%{request:Called-Station-Id}" =~ /^[0-9a-f]{2}(?:-[0-9a-f]{2}){5}:(.+)$/i) if ("%{1}") { update request { My-Local-Custom-SSID := "%{1}" } } else { noop } } else { noop } } ---- Now edit /etc/freeradius/dictionary for a custom string attribute for My-Local-Custom-SSID (or something you prefer). Now when you call 'extract_ssid' from your authorize section, you get a plain attribute called My-Local-Custom-SSID created that has the SSID being used.
Example: SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers with installed certificates
As a suggestion from experience, unless you actually plan on having real world different firewalling ACL's for each SSID (or backed VLAN) then doing this is not going to give your organisation any benefits.
How can I configure this situation with FR Virtual server feature? Can I simply copy, rename and modify "eap" part from eap.conf to "eap_2" and applying it in athorize/authenticate sections in second virtual server? It is enough? I have looking for any example for this scenario but whithout any success.
Create multiple 'eap {}' instances (one for TLS and one for PEAP; get these working in isolation *first*) and call then depending on when you need them. Cheers -- Alexander Clouter .sigmonster says: Conscience is what hurts when everything else feels so good.