LDAP authentication filter based on source SSID
Hello! I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP. I need to check if the user has permission to connect to a specific SSID, so we check a LDAP attribute for that. By that, we need to know from which SSID the authentication is being requested so we use a specific LDAP Filter to search the base and grant or deny the permission. We tried to use two instances of RADIUS, one per SSID, but the Wireless Controller doesn't seem to support it (supports only one AAA per AP). That's why i'm asking for help in case you people have some alternatives or ideas to solve it. The setup is based on Cisco Wireless Controller 5508. Thanks in advance!
On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote:
I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP.
Hello. which version of freeradius are you running ?
I need to check if the user has permission to connect to a specific SSID, so we check a LDAP attribute for that.
Pretty easy
By that, we need to know from which SSID the authentication is being requested so we use a specific LDAP Filter to search the base and grant or deny the permission.
We tried to use two instances of RADIUS, one per SSID, but the Wireless Controller doesn't seem to support it (supports only one AAA per AP).
oh what ?
That's why i'm asking for help in case you people have some alternatives or ideas to solve it.
The setup is based on Cisco Wireless Controller 5508.
I'm also setting up WLC-5508 right now on my side. First, the AAA servers are defined per SSID. So you can specify different radius servers (or simply ports) for each SSID Secondly, you can now customize the NAS-Identifier on a per SSID basis (at least in release 7.4) Finally, the Called-Station-Id will contain the SSID name. If you use the policy rewrite_called_station_id it will populate the attribute Called-Station-SSID with the SSID Name. So all the tools to do it easily are in your hands. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
I forgot to say that we use H-REAP so we do not authenticate it in the WLC Atenciosamente, Gustavo Vieira Oliveira GETIC - Gerência de Tecnologia da Informação SUSERV - Superintendência de Serviços Compartilhados Sistema FIESC Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC Fone (48) 32314699 - Ramal 44699 http://www.sistemafiesc.com.br Em 12/07/2013 12:14, Olivier Beytrison escreveu:
On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote:
I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP. Hello. which version of freeradius are you running ?
I need to check if the user has permission to connect to a specific SSID, so we check a LDAP attribute for that. Pretty easy
By that, we need to know from which SSID the authentication is being requested so we use a specific LDAP Filter to search the base and grant or deny the permission.
We tried to use two instances of RADIUS, one per SSID, but the Wireless Controller doesn't seem to support it (supports only one AAA per AP). oh what ?
That's why i'm asking for help in case you people have some alternatives or ideas to solve it.
The setup is based on Cisco Wireless Controller 5508. I'm also setting up WLC-5508 right now on my side.
First, the AAA servers are defined per SSID. So you can specify different radius servers (or simply ports) for each SSID
Secondly, you can now customize the NAS-Identifier on a per SSID basis (at least in release 7.4)
Finally, the Called-Station-Id will contain the SSID name. If you use the policy rewrite_called_station_id it will populate the attribute Called-Station-SSID with the SSID Name.
So all the tools to do it easily are in your hands.
Olivier
Olivier, You don't need to set "radius-server vsa send" in the AP so it sends the SSID in the authentication request? Atenciosamente, Gustavo Vieira Oliveira GETIC - Gerência de Tecnologia da Informação SUSERV - Superintendência de Serviços Compartilhados Sistema FIESC Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC Fone (48) 32314699 - Ramal 44699 http://www.sistemafiesc.com.br Em 12/07/2013 12:18, Gustavo Vieira Oliveira escreveu:
I forgot to say that we use H-REAP so we do not authenticate it in the WLC
Atenciosamente,
Gustavo Vieira Oliveira
GETIC - Gerência de Tecnologia da Informação SUSERV - Superintendência de Serviços Compartilhados
Sistema FIESC Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC Fone (48) 32314699 - Ramal 44699 http://www.sistemafiesc.com.br
Em 12/07/2013 12:14, Olivier Beytrison escreveu:
On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote:
I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP. Hello. which version of freeradius are you running ?
I need to check if the user has permission to connect to a specific SSID, so we check a LDAP attribute for that. Pretty easy
By that, we need to know from which SSID the authentication is being requested so we use a specific LDAP Filter to search the base and grant or deny the permission.
We tried to use two instances of RADIUS, one per SSID, but the Wireless Controller doesn't seem to support it (supports only one AAA per AP). oh what ?
That's why i'm asking for help in case you people have some alternatives or ideas to solve it.
The setup is based on Cisco Wireless Controller 5508. I'm also setting up WLC-5508 right now on my side.
First, the AAA servers are defined per SSID. So you can specify different radius servers (or simply ports) for each SSID
Secondly, you can now customize the NAS-Identifier on a per SSID basis (at least in release 7.4)
Finally, the Called-Station-Id will contain the SSID name. If you use the policy rewrite_called_station_id it will populate the attribute Called-Station-SSID with the SSID Name.
So all the tools to do it easily are in your hands.
Olivier
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Gustavo Vieira Oliveira -
Olivier Beytrison