LDAP authentication filter based on source SSID

Olivier Beytrison olivier at heliosnet.org
Fri Jul 12 17:14:54 CEST 2013

On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote:
> I need some help with RADIUS regarding Wireless authentication with

Hello. which version of freeradius are you running ?

> I need to check if the user has permission to connect to a specific
> SSID, so we check a LDAP attribute for that.

Pretty easy

> By that, we need to know from which SSID the authentication is being
> requested so we use a specific LDAP Filter to search the base and grant
> or deny the permission.
> We tried to use two instances of RADIUS, one per SSID, but the Wireless
> Controller doesn't seem to support it (supports only one AAA per AP).

oh what ?

> That's why i'm asking for help in case you people have some alternatives
> or ideas to solve it.
> The setup is based on Cisco Wireless Controller 5508.

I'm also setting up WLC-5508 right now on my side.

First, the AAA servers are defined per SSID. So you can specify
different radius servers (or simply ports) for each SSID

Secondly, you can now customize the NAS-Identifier on a per SSID basis
(at least in release 7.4)

Finally, the Called-Station-Id will contain the SSID name. If you use
the policy rewrite_called_station_id it will populate the attribute
Called-Station-SSID with the SSID Name.

So all the tools to do it easily are in your hands.


 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at heliosnet.org

More information about the Freeradius-Users mailing list