Yet another multiple SSID setup question
Alexander Clouter
alex at digriz.org.uk
Tue Jul 12 08:17:25 CEST 2011
Nick Kartsioukas <lists.freeradius at change.nightwind.net> wrote:
>
> Okay...let's say I have an SSID for students and an SSID for staff.
> Students authenticate against LDAP, which stores passwords as salted
> SHA1 hashes. Staff authenticate against Windows ActiveDirectory.
> I've found where the WLC sends the SSID to FreeRADIUS, so I can get at
> that. My question is, how do I set up the EAP-TTLS/PAP session for the
> Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID?
> Are these configured as different virtual servers? Or just different
> modules that I call from the users file like so:
> DEFAULT Auth-Type := student_module, Called-Station-SSID := "student"
> DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff"
>
Just duplicate what you see in eap.conf to look something like:
----
eap EAP_student {
# set this to peap for staff
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
max_sessions = 4096
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = ${local.cert.password}
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
cipher_list = "AES:HIGH:!aNULL:!eNULL:@STRENGTH"
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "auth"
}
# comment 'ttls' and uncomment following for staff
#peap {
# default_eap_type = mschapv2
# copy_request_to_tunnel = no
# use_tunneled_reply = yes
# virtual_server = "auth"
#}
#
#mschapv2 {
# send_error = yes
#}
}
eap EAP_staff {
....
}
----
----
authorize {
...
if (Airespace-Wlan-Id == "student_ssid") {
EAP_student
}
else {
EAP_staff
}
...
}
----
Cheers
--
Alexander Clouter
.sigmonster says: Remember to say hello to your bank teller.
More information about the Freeradius-Users
mailing list