FR virtual server question and EAP configuration

Fri Jul 16 10:12:11 CEST 2010

Michal Bruncko <michal.bruncko at gmail.com> wrote:
> 
> I am using FR with WPA2-Enterprise autentification in Wifi environment 
> with this scheme:
> 
> SSID 1 \
> SSID 2 --- AP <-- Trunk --> Ruter <-----> FreeRadius
> SSID 3 /
> 
> My goal is to configure different security for different SSID through 
> one freeradius with virtual server feature.
> 
> My first question is, if it's possible to have different FR server 
> configuration per SSID on single Access Point? AP have its IP address 
> from specific managemenet VLAN (different from any SSID X VLAN). I know, 
> that on freeradius side can be configuration separated by client IP 
> address, but in my scenario, the IP of radius client is same for every 
> VLAN/SSID, but the only distinguished part in communication is 
> "Called-Station-Id" in Access-Request with form: <radio-mac>:<ssid>.
>
That's down to your NAS configuration, if your AP (or wireless 
controller) will let you use a different set of RADIUS servers for each 
SSID then you are in luck.

The solutions I prefer. if I was doing this, either,
 * one SSID, and depending on the type of authentication used, use that 
	to pick VLAN the user is dropped into
 * with our infernal Cisco WLC, it does include attributes in all the 
	Access-Request packets telling you which SSID the user is 
	connecting to, you could use this with FreeRADIUS's unlang to 
	call a different EAP instance depending on what you want

I personally would opt for the first method (as then your FreeRADIUS and 
802.1X logic is identical for *wired* connectivity), however you might 
have Layer-8 reasons for wanting to go with the multiple SSID approach 
instead.

> Ok, next question which is related a bit to previously one. I have 
> presumted that freeradius cannot distinguishes between requests from 
> different SSID, so I have configured different IP address of Radius 
> server per SSID configuration on AP and all IP addresses are pointed  to 
> single radius server and I want to use one virtual server per listen IP 
> address. But how I should to tell FR server, which EAP configuration 
> must apply to which virtual server?
>
If you have convinced yourself you need to go with the multiple SSID 
approach, add the following (*untested*) to 'policy.conf':
----
extract_ssid {
	if ("%{request:Called-Station-Id}" =~ /^[0-9a-f]{2}(?:-[0-9a-f]{2}){5}:(.+)$/i)
		if ("%{1}") {
			update request {
				My-Local-Custom-SSID := "%{1}"
			}
		}
		else {
			noop
		}
	}
	else {
		noop
	}
}
----

Now edit /etc/freeradius/dictionary for a custom string attribute for 
My-Local-Custom-SSID (or something you prefer).  Now when you call 
'extract_ssid' from your authorize section, you get a plain attribute 
called My-Local-Custom-SSID created that has the SSID being used.

> Example:
> SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients
> SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers 
> 				with installed certificates
> 
As a suggestion from experience, unless you actually plan on having real 
world different firewalling ACL's for each SSID (or backed VLAN) then 
doing this is not going to give your organisation any benefits.

> How can I configure this situation with FR Virtual server feature? Can I 
> simply copy, rename and modify "eap" part from eap.conf to "eap_2" and 
> applying it in athorize/authenticate sections in second virtual server? 
> It is enough? I have looking for any example for this scenario but 
> whithout any success.
> 
Create multiple 'eap {}' instances (one for TLS and one for PEAP; get 
these working in isolation *first*) and call then depending on when you 
need them.

Cheers

-- 
Alexander Clouter
.sigmonster says: Conscience is what hurts when everything else feels so good.