Hi guys, We're trying to centralize our corporate wifi authentication using freeradius. So far, I was able to get user to authenticate based on NAS IP (I got access to multiple NAS working as well) and Mac Address. Is it possible to also limit their access per SSID? The reason for this is because one of our locations, our HQ, has 3 SSID and only certain people have access to certain SSID but I'm not sure if this will conflict with already working NAS checking. Our HQ is using Cisco Wireless LAN Controller so all 3 SSID will connect to radius using the same NAS IP. Cheers, Roy Kartadinata
Run server in debug mode. Is SSID appearing in some attribute in Access-Request? Ivan Kalik Kalik Informatika ISP Dana 23/6/2008, "Roy Kartadinata" <rkartadinata@pocket.com> piše:
Hi guys,
We're trying to centralize our corporate wifi authentication using freeradius. So far, I was able to get user to authenticate based on NAS IP (I got access to multiple NAS working as well) and Mac Address. Is it possible to also limit their access per SSID? The reason for this is because one of our locations, our HQ, has 3 SSID and only certain people have access to certain SSID but I'm not sure if this will conflict with already working NAS checking. Our HQ is using Cisco Wireless LAN Controller so all 3 SSID will connect to radius using the same NAS IP.
Cheers,
Roy Kartadinata
On 23 Jun 2008, at 21:01, Ivan Kalik wrote:
Run server in debug mode. Is SSID appearing in some attribute in Access-Request?
It's usually in the Called-Station-Id attribute: <radio-mac>:<ssid> # Rewrite calling station id and called station id attributes # into a standard format. # If a 6th seperator is present write the trailing chars into Called- Station-SSID if("%{Called-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]? ([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2}) [-:]?([-a-z0-9_.]*)?/i){ update request { Called-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}" Called-Station-SSID := "%{7}" } } That generally works in FR 2.0* , though you have to define Called- Station-SSID as a local attribute, see etc/raddb/dictionary for examples.
Ivan Kalik Kalik Informatika ISP
Dana 23/6/2008, "Roy Kartadinata" <rkartadinata@pocket.com> piše:
Hi guys,
We're trying to centralize our corporate wifi authentication using freeradius. So far, I was able to get user to authenticate based on NAS IP (I got access to multiple NAS working as well) and Mac Address. Is it possible to also limit their access per SSID? The reason for this is because one of our locations, our HQ, has 3 SSID and only certain people have access to certain SSID but I'm not sure if this will conflict with already working NAS checking. Our HQ is using Cisco Wireless LAN Controller so all 3 SSID will connect to radius using the same NAS IP.
Cheers,
Roy Kartadinata
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks, that helps a lot. :-) Cheers, Roy Kartadinata ________________________________ From: freeradius-users-bounces+rkartadinata=pocket.com@lists.freeradius.org [mailto:freeradius-users-bounces+rkartadinata=pocket.com@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Monday, June 23, 2008 4:15 PM To: FreeRadius users mailing list Subject: Re: Limiting Wifi Access On 23 Jun 2008, at 21:01, Ivan Kalik wrote: Run server in debug mode. Is SSID appearing in some attribute in Access-Request? It's usually in the Called-Station-Id attribute: <radio-mac>:<ssid> # Rewrite calling station id and called station id attributes # into a standard format. # If a 6th seperator is present write the trailing chars into Called-Station-SSID if("%{Called-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i){ update request { Called-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}" Called-Station-SSID := "%{7}" } } That generally works in FR 2.0* , though you have to define Called-Station-SSID as a local attribute, see etc/raddb/dictionary for examples. Ivan Kalik Kalik Informatika ISP Dana 23/6/2008, "Roy Kartadinata" <rkartadinata@pocket.com> piše: Hi guys, We're trying to centralize our corporate wifi authentication using freeradius. So far, I was able to get user to authenticate based on NAS IP (I got access to multiple NAS working as well) and Mac Address. Is it possible to also limit their access per SSID? The reason for this is because one of our locations, our HQ, has 3 SSID and only certain people have access to certain SSID but I'm not sure if this will conflict with already working NAS checking. Our HQ is using Cisco Wireless LAN Controller so all 3 SSID will connect to radius using the same NAS IP. Cheers, Roy Kartadinata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Roy If your NAS suport or you can configure WISPr Location ID and/or WISPr Location Name, you can check it on freeradius and allow or not the access. ----- Original Message ----- From: Roy Kartadinata To: FreeRadius users mailing list Sent: Monday, June 23, 2008 11:52 AM Subject: Limiting Wifi Access Hi guys, We're trying to centralize our corporate wifi authentication using freeradius. So far, I was able to get user to authenticate based on NAS IP (I got access to multiple NAS working as well) and Mac Address. Is it possible to also limit their access per SSID? The reason for this is because one of our locations, our HQ, has 3 SSID and only certain people have access to certain SSID but I'm not sure if this will conflict with already working NAS checking. Our HQ is using Cisco Wireless LAN Controller so all 3 SSID will connect to radius using the same NAS IP. Cheers, Roy Kartadinata ------------------------------------------------------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Arran Cudbard-Bell -
Fabián Omar Franzotti -
Ivan Kalik -
Roy Kartadinata