Yet another multiple SSID setup question

James J J Hooper jjj.hooper at
Tue Jul 12 09:11:53 CEST 2011

On 12/07/2011 02:50, Nick Kartsioukas wrote:
> I've been looking through the wiki and staring at the config files and
> I'm...confused.
> I've successfully gotten our Cisco WLC to authenticate against
> ActiveDirectory as well as a Sun LDAP server (just one at a time) via
> FreeRADIUS for a single test SSID, but now I'm trying to figure out how
> to split that into conditional checks.  Before I go chopping up the
> existing config files and making a horrible mess of things, I wanted to
> verify a few things with the wisdom of the list.
> Okay...let's say I have an SSID for students and an SSID for staff.
> Students authenticate against LDAP, which stores passwords as salted
> SHA1 hashes.  Staff authenticate against Windows ActiveDirectory.
> I've found where the WLC sends the SSID to FreeRADIUS, so I can get at
> that.  My question is, how do I set up the EAP-TTLS/PAP session for the
> Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID?
> Are these configured as different virtual servers?  Or just different
> modules that I call from the users file like so:
> DEFAULT Auth-Type := student_module, Called-Station-SSID := "student"
> DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff"
> If so how do I set that up, as that would be two different eap.conf
> setups (wouldn't it)?  Am I missing something obvious in the docs?
> Thanks for taking the time to help me out!

If they are different SSIDs on the Cisco WLC, you should be able to assign 
different radius servers for each SSID. Do that, e.g:
ssid1 ->
ssid2 ->

Then use a different FreeRADIUS virtual server to handle each (i.e. on 
virtual server listening on port 1812 , and one listening on port 1812).

This way you can keep the intricacies of each separate.


More information about the Freeradius-Users mailing list