Proxying based on SSID

Lai Fu Keung LFK at cc.hku.hk
Wed Jan 24 11:15:31 CET 2007


The "Called-Station-Id" has the SSID included, in addition to the MAC
address.

 

Called-Station-Id = "00-16-E0-FD-47-40:VIP-peap"

 

Lai

 

 

________________________________

From: freeradius-users-bounces+lfk=cc.hku.hk at lists.freeradius.org
[mailto:freeradius-users-bounces+lfk=cc.hku.hk at lists.freeradius.org] On
Behalf Of Santiago Balaguer Garcia
Sent: Wednesday, January 24, 2007 4:11 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: Proxying based on SSID

 

  I think both are wrong because you must distinguish amog the different
SSIDs that an AP broadcast. It sometimes happens the wireless MAC are
the same for all SSIDs. Only some devices (such as Mikrotik) let change
the MAC for each ESSID.

   Another thing is you have to differenciate the ESSID in your user
manager. A solutions can be via VLAN's and your user manager chooses the
ESSID by the VLAN adding a posible prefix to the username.

  I use Mikrotik device which distinguish the ESSID via MAC and I can
add the prefix because each ESSID have its own login page.

	
________________________________


	From:  Alan DeKok <aland at deployingradius.com>
	Reply-To:  FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
	To:  FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
	Subject:  Re: Proxying based on SSID
	Date:  Wed, 24 Jan 2007 08:18:02 +0100
	>Lai Fu Keung wrote:
	> > Normally, I proxy a PEAP request whenever the realm is
unknown to us
	> > (i.e. using the DEFAULT realm without stripping user name).
However, for
	> > some SSIDs, I want requests to be handled locally with ldap,
independent
	> > of what the realm is (and with the user name stripped). What
I did is to
	> > find those SSIDs in "Called-Station-ID" and
	> > set proxy-to-realm to a local realm.
	>
	>   OK...
	>
	>  > But the problem (I guess) is that when freeradius processes
the realm
	> > file, the user name is not stripped. When later on processed
by the
	> > local realm, the request fails because the user name still
contains the
	> > domain.
	>
	>   The problem is that the realms file *isn't* being processed.
That's
	>why the user names aren't stripped.
	>
	>   You can always put the check for SSID *after* the check for
the
	>realms.  In that case, the usernames will be stripped, and the
SSID
	>check can cancel any proxying, just like you do now.
	>
	>   Alan DeKok.
	>--
	>   http://deployingradius.com       - The web site of the book
	>   http://deployingradius.com/blog/ - The blog
	>-
	>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




________________________________

Recibe ofertas de empleo adaptadas a tu perfil. Introduce tu CV en MSN
Empleo. <http://g.msn.com/8HMBESES/2752??PS=47575>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070124/50f353bf/attachment.html>


More information about the Freeradius-Users mailing list