Authentication based on the user groups
I have setup a Freeradius server to serve as the authentication server for Ruckus Wifi system. The backend directory server is Openldap. I can successfully authenticate users. Now I want to setup two wifi SSID. The "staff" SSID will authenticate to users belonging to the "staff" group in the Openldap directory and the "student" SSID shall authenticate to users belonging to the "student" group. What is the right way to configure this in Freeradius?
There are many ways. .. most would argue their way is the 'right one'. Personally I would use unlang for the policy. .. check that if the SSID is the staff one then people can only join when they're in the staff LDAP group and same for student one. However I would then ask why you are using multiple SSIDs (and depriving your wireless of some PHY resource) use a single SSID with service return attributes from your RADIUS server (eg VLAN override) Alan
How exactly it is done for both ways? I am new to Freeradius. On Tue, Mar 11, 2014 at 3:05 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
There are many ways. .. most would argue their way is the 'right one'. Personally I would use unlang for the policy. .. check that if the SSID is the staff one then people can only join when they're in the staff LDAP group and same for student one.
However I would then ask why you are using multiple SSIDs (and depriving your wireless of some PHY resource) use a single SSID with service return attributes from your RADIUS server (eg VLAN override)
Alan
Kitty Chan wrote:
I have setup a Freeradius server to serve as the authentication server for Ruckus Wifi system. The backend directory server is Openldap. I can successfully authenticate users. Now I want to setup two wifi SSID. The "staff" SSID will authenticate to users belonging to the "staff" group in the Openldap directory and the "student" SSID shall authenticate to users belonging to the "student" group. What is the right way to configure this in Freeradius?
The SSID is placed into the Called-Station-Id attribute. It's not perfect, but it works. You should do something like the following: authorize { ... if ((Called-Station-Id =~ /:student/) && (LDAP-Group != "student")) { reject } if ((Called-Station-Id =~ /:staff/) && (LDAP-Group != "staff")) { reject } ... } Of course, change the names for the actual SSID names, and LDAP grou[ names. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Kitty Chan