Roaming support

Chris Moules chris at
Wed Aug 24 18:05:05 CEST 2011

On 24/08/11 17:21, Filippo Sallemi wrote:
> Hi all,
> I've a little problem with freeradius and I hope that someone could help me.
> I have 3 ap with coovachilli (configured to work with my freeradius
> 2.x server) connected to 3 xDSL. All work correct but when an user
> roam from an ap to another he have to reauhenticate itself (because
> the nas changed).
> I'm intrested to use UnLang to make freeradius able to check if user
> mac is already present in radacct table and if yes authorize user
> automatically. In this way every time an user roam from ap to another
> it colud be reauthentiated without asking for password.
> It is possible?
> Could anoyone help me in this?
> Rgds

Sounds do-able. I don't remember how CoovaChilli works with all this but there is an option for it to use the MAC address to
perform authentication.

    If this option is given ChilliSpot will try to authenticate all users based on their mac address alone. The User-Name sent
to the radius server will consist of the MAC address and an optional suffix which is specified by the macsuffix option. If the
macauth option is specified the macallowed option is ignored.

I think if this fails you 'drop-through' to the Captive Portal.

If you enable this and then check what is sent. You will then need to setup a custom 'Auth' section to perform the MAC lookup in
your (guess) DB of Auth'ed users and then let this succeed. You may also want/need then to 'kill' the other session (CoA?) on
the other AP.

This might also work without 'macauth' in but I think that would be the most 'transparent'.

This type of thing is not my bread and butter work but I have used both FreeRADIUS and CoovaChilli.

-- General remark --

It sounds like your setup is trying to do load balancing of data over 3 xDSL lines. You are trying to do this by having 3
APs/NASs on 3 lines. In setups like this I have 'normally' seen, for example, 3 APs linked to 1 NAS (CoovaChilli). Off the back
of the NAS you can load-balance your traffic. The APs just do the WiFi bit and you can roam between them the CoovaChilli in this
case does the Captive Portal (DHCP/DNS/.../?).

Not knowing anything about your setup or usage scenario I don't know is this is 'better' or just 'different'.

BTW 'roaming' has different meanings depending on what part of the system you are talking about. In this case you mean WiFi AP
roaming and not what might be understood as provider roaming which would involve RADIUS proxying (most probably). WiFi AP
roaming has no real direct RADIUS relevance, especially if the APs are setup like I mentioned. Then a device just talks to one
AP or another, there is no re-auth required.



More information about the Freeradius-Devel mailing list