Proxying based on AVPair (multiple SSIDs)

Holger Steppke team4m at muenster.de
Sat Nov 5 19:01:01 CET 2005 

Hi,

there is no attribute in the Request you can match on :(
We do EAP and at least there is no and i found now way to add one.

But there is a way to configure different radius servers per ssid :)
You "just" ;) need to specifiy different Radius Server groups.

The real order in the config is different and if have written this down from
my head so
it could well be that there are misstakes.

Start and configure your radius servers as usual.
  radius-server host 10.10.10.1 auth-port 1812 acct-port 1813 key 0
verysecret
  radius-server host 10.10.10.2 auth-port 1812 acct-port 1813 key 0
verysecret
  radius-server host 10.10.20.1 auth-port 1812 acct-port 1813 key 0
verysecret
  radius-server host 10.10.20.1 auth-port 1812 acct-port 1813 key 0
verysecret

Then put them into 2 groups:
  aaa group server radius groupname1
   server 10.10.10.1 auth-port 1812 acct-port 1813
   server 10.10.10.2 auth-port 1812 acct-port 1813
  aaa group server radius groupname2
   server 10.10.20.1 auth-port 1812 acct-port 1813
   server 10.10.20.2 auth-port 1812 acct-port 1813

Now form 2 login methods.
  aaa authentication login method_client_group1 group groupname1
  aaa authentication login method_client_group2 group groupname2

Now you can go into the SSID config depending on ISO version within the
Dot11 interface or bevor but i guess you will be able to find out wourself.
Here you reference the login method configured above.

 ssid Uunet
    vlan 123
    authentication open eap method_client_group1
    accounting method_client_group1
 ssid UUnet2
    vlan 234
    authentication open eap method_client_group2
    accounting method_client_group2

Off course there is more to have the AP configured properly. If you had them
running and used radius bevor i thing you can guess what needs to be done.
If you use the Cisco WDS then only teh WDS Aps/Routers/Switch will talk to
you radius so the other Radius Servers just need this Ips in there Clients
files.

If this is no option i would say run multiple instance of your Freeradius
Proxy on once Server on different ports and then proxy from them.

Have a nice game :)

Bye
	Holger







> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org 
> [mailto:freeradius-users-bounces at lists.freeradius.org] On 
> Behalf Of Alan DeKok
> Sent: Saturday, November 05, 2005 4:29 PM
> To: FreeRadius users mailing list
> Subject: Re: Proxying based on AVPair (multiple SSIDs) 
> 
> Jason Carr <jcarr at andrew.cmu.edu> wrote:
> > Calling-Station-Id has the MAC address of the access point's SSID 
> > which I'd have to collect the list of MACs, too many to 
> filter on.  I 
> > like the second method but I'm not seeing any documentation on 
> > matching based on regular expressions with AVP's. Can you 
> point to a 
> > config file that I should be looking in or maybe some doc 
> online?  I 
> > searched almost all day for something on google.
> 
>   "man users".
> 
> DEFAULT	Attribute =~ "a.*b$", ...
> 	...
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
>

More information about the Freeradius-Users mailing list