VLAN and SSID

Guy Davies aguydavies at gmail.com
Wed Mar 29 10:11:13 CEST 2006


Yes, just use the Cisco AV Pair to say

user1  Auth-Type := EAP, Cisco-AVPair := "SSID=SSID1"

user2  Auth-Type := EAP, Cisco-AVPair := "SSID=SSID2"

That would force user1 to only associate to SSID1 and user2 to only
associate to SSID2.

You *may* need to change them from being check attributes to reply
attributes if your AP doesn't actually send those attributes with an
Access-Request.  In that case, you send the Cisco-AVPair =
"SSID=SSIDn" back to the AP and if it doesn't match, then it can
locally fail to authorize the user.

Rgds,

Guy

On 29/03/06, Antonio Matera <antonio.matera at create-net.it> wrote:
> Hallo,
> I have a problem with the authentication on different VLAN.
>
> I write for you my example:
>
> I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and
> SSID2) on my Cisco 1200 AP. I have the same authentication on both
> connection (EAP-TLS).
>
> In my users file I have two user:
>
> user1    Auth-Type := EAP
>              Tunnel-Medium-Type = IEEE-802,
>              Tunnel-Private-Group-Id = 2,
>              Tunnel-Type = VLAN
>
> user2    Auth-Type := EAP
>              Tunnel-Medium-Type = IEEE-802,
>              Tunnel-Private-Group-Id = 3,
>              Tunnel-Type = VLAN
>
> the authentication works fine but , for example, if I connect the WinXP
> client on the SSID1 with the certificate user of the VLAN2, I have this
> situation:
> The client is connected to the VLAN2 but the SSID of the wireless
> connection is SSID1.
>
> It is possible to prevent the connection to the select SSID if the
> certificate of the user is incorrect?
>
> Thanks, bye
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list