FR virtual server question and EAP configuration

Michal Bruncko michal.bruncko at gmail.com
Fri Jul 16 00:34:35 CEST 2010


Hello list

I am using FR with WPA2-Enterprise autentification in Wifi environment 
with this scheme:

SSID 1 \
SSID 2 --- AP <-- Trunk --> Ruter <-----> FreeRadius
SSID 3 /

My goal is to configure different security for different SSID through 
one freeradius with virtual server feature.

My first question is, if it's possible to have different FR server 
configuration per SSID on single Access Point? AP have its IP address 
from specific managemenet VLAN (different from any SSID X VLAN). I know, 
that on freeradius side can be configuration separated by client IP 
address, but in my scenario, the IP of radius client is same for every 
VLAN/SSID, but the only distinguished part in communication is 
"Called-Station-Id" in Access-Request with form: <radio-mac>:<ssid>.

Ok, next question which is related a bit to previously one. I have 
presumted that freeradius cannot distinguishes between requests from 
different SSID, so I have configured different IP address of Radius 
server per SSID configuration on AP and all IP addresses are pointed  to 
single radius server and I want to use one virtual server per listen IP 
address. But how I should to tell FR server, which EAP configuration 
must apply to which virtual server?
Example:
SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients
SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers 
with installed certificates

How can I configure this situation with FR Virtual server feature? Can I 
simply copy, rename and modify "eap" part from eap.conf to "eap_2" and 
applying it in athorize/authenticate sections in second virtual server? 
It is enough? I have looking for any example for this scenario but 
whithout any success.

thanks

bruncko



More information about the Freeradius-Users mailing list