FR virtual server question and EAP configuration

Michal Bruncko michal.bruncko at
Sun Jul 25 12:25:03 CEST 2010


On 16. 7. 2010 10:12, Alexander Clouter wrote:
> Michal Bruncko<michal.bruncko at>  wrote:
>> I am using FR with WPA2-Enterprise autentification in Wifi environment
>> with this scheme:
>> SSID 1 \
>> SSID 2 --- AP<-- Trunk -->  Ruter<----->  FreeRadius
>> SSID 3 /
>> My goal is to configure different security for different SSID through
>> one freeradius with virtual server feature.
>> My first question is, if it's possible to have different FR server
>> configuration per SSID on single Access Point? AP have its IP address
>> from specific managemenet VLAN (different from any SSID X VLAN). I know,
>> that on freeradius side can be configuration separated by client IP
>> address, but in my scenario, the IP of radius client is same for every
>> VLAN/SSID, but the only distinguished part in communication is
>> "Called-Station-Id" in Access-Request with form:<radio-mac>:<ssid>.
> That's down to your NAS configuration, if your AP (or wireless
> controller) will let you use a different set of RADIUS servers for each
> SSID then you are in luck.

Yes, I am using Cisco WAP4410N which support this feature.

> The solutions I prefer. if I was doing this, either,
>   * one SSID, and depending on the type of authentication used, use that
> 	to pick VLAN the user is dropped into

I am afraid, that vlan membership per client on single SSID is not 
supported in this model, but it is good idea and I have hard about this 
only with 802.1X model in LAN, not with WLAN.

>   * with our infernal Cisco WLC, it does include attributes in all the
> 	Access-Request packets telling you which SSID the user is
> 	connecting to, you could use this with FreeRADIUS's unlang to
> 	call a different EAP instance depending on what you want
> I personally would opt for the first method (as then your FreeRADIUS and
> 802.1X logic is identical for *wired* connectivity), however you might
> have Layer-8 reasons for wanting to go with the multiple SSID approach
> instead.
>> Ok, next question which is related a bit to previously one. I have
>> presumted that freeradius cannot distinguishes between requests from
>> different SSID, so I have configured different IP address of Radius
>> server per SSID configuration on AP and all IP addresses are pointed  to
>> single radius server and I want to use one virtual server per listen IP
>> address. But how I should to tell FR server, which EAP configuration
>> must apply to which virtual server?
> If you have convinced yourself you need to go with the multiple SSID
> approach, add the following (*untested*) to 'policy.conf':
> ----
> extract_ssid {
> 	if ("%{request:Called-Station-Id}" =~ /^[0-9a-f]{2}(?:-[0-9a-f]{2}){5}:(.+)$/i)
> 		if ("%{1}") {
> 			update request {
> 				My-Local-Custom-SSID := "%{1}"
> 			}
> 		}
> 		else {
> 			noop
> 		}
> 	}
> 	else {
> 		noop
> 	}
> }
> ----
> Now edit /etc/freeradius/dictionary for a custom string attribute for
> My-Local-Custom-SSID (or something you prefer).  Now when you call
> 'extract_ssid' from your authorize section, you get a plain attribute
> called My-Local-Custom-SSID created that has the SSID being used.

Thanks! That is exactly what I have looked for. I have realize this in 
last two days and it is working perfectly :)

>> Example:
>> SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients
>> SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers
>> 				with installed certificates
> As a suggestion from experience, unless you actually plan on having real
> world different firewalling ACL's for each SSID (or backed VLAN) then
> doing this is not going to give your organisation any benefits.

You're right, but I am integrating this scenario in school environment, 
where SSID 1 is Campus wifi network (composed from multiple AP's) for 
all students and staff only with internet connectivity and second SSID 
is wifi network for computer class (notebooks) without wired 
connectivity and I want integrate that PC's with samba domain (so, 
successful wifi connection before domain login) and with specific IP 
rules to our domain and file servers. I want to implement differenet QoS 
per SSID, because in one of AP's are located both of SSID's.

>> How can I configure this situation with FR Virtual server feature? Can I
>> simply copy, rename and modify "eap" part from eap.conf to "eap_2" and
>> applying it in athorize/authenticate sections in second virtual server?
>> It is enough? I have looking for any example for this scenario but
>> whithout any success.
> Create multiple 'eap {}' instances (one for TLS and one for PEAP; get
> these working in isolation *first*) and call then depending on when you
> need them.

Yes, this was glue hint :)

> Cheers

Thank you!


More information about the Freeradius-Users mailing list