Yet another multiple SSID setup question

Jacob Dawson dawson at vt.edu
Tue Jul 12 14:55:44 CEST 2011 

Maybe your setup is different, but when we get fac/staff logging in to wireless with their Domain credentials, those have the domain prepended on the username, which makes it easy to parse those with unlang and proxy those requests to the AD servers (in our case, since our AD servers are set up to speak NTLMv2 only, we proxy the inner tunnel authentication to IAS and that sends it along.  proxy-inner-tunnel allows me to keep my wireless service certs on the FreeRADIUS server, and present only the one for everyone doing 802.1X, which makes everyone's lives easier).

-Jacob

On 11 Jul 2011, at 21:50, Nick Kartsioukas wrote:

> I've been looking through the wiki and staring at the config files and
> I'm...confused.
> I've successfully gotten our Cisco WLC to authenticate against
> ActiveDirectory as well as a Sun LDAP server (just one at a time) via
> FreeRADIUS for a single test SSID, but now I'm trying to figure out how
> to split that into conditional checks.  Before I go chopping up the
> existing config files and making a horrible mess of things, I wanted to
> verify a few things with the wisdom of the list.
> 
> Okay...let's say I have an SSID for students and an SSID for staff. 
> Students authenticate against LDAP, which stores passwords as salted
> SHA1 hashes.  Staff authenticate against Windows ActiveDirectory.
> I've found where the WLC sends the SSID to FreeRADIUS, so I can get at
> that.  My question is, how do I set up the EAP-TTLS/PAP session for the
> Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID? 
> Are these configured as different virtual servers?  Or just different
> modules that I call from the users file like so:
> DEFAULT Auth-Type := student_module, Called-Station-SSID := "student"
> DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff"
> 
> If so how do I set that up, as that would be two different eap.conf
> setups (wouldn't it)?  Am I missing something obvious in the docs?
> Thanks for taking the time to help me out!
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list