LDAP authentication filter based on source SSID
Gustavo Vieira Oliveira
gustavov at sc.senai.br
Fri Jul 12 17:18:45 CEST 2013
I forgot to say that we use H-REAP so we do not authenticate it in the WLC
Atenciosamente,
Gustavo Vieira Oliveira
GETIC - Gerência de Tecnologia da Informação
SUSERV - Superintendência de Serviços Compartilhados
Sistema FIESC
Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC
Fone (48) 32314699 - Ramal 44699
http://www.sistemafiesc.com.br
Em 12/07/2013 12:14, Olivier Beytrison escreveu:
> On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote:
>> I need some help with RADIUS regarding Wireless authentication with
>> RADIUS + LDAP.
> Hello. which version of freeradius are you running ?
>
>> I need to check if the user has permission to connect to a specific
>> SSID, so we check a LDAP attribute for that.
> Pretty easy
>
>> By that, we need to know from which SSID the authentication is being
>> requested so we use a specific LDAP Filter to search the base and grant
>> or deny the permission.
>>
>> We tried to use two instances of RADIUS, one per SSID, but the Wireless
>> Controller doesn't seem to support it (supports only one AAA per AP).
> oh what ?
>
>> That's why i'm asking for help in case you people have some alternatives
>> or ideas to solve it.
>>
>> The setup is based on Cisco Wireless Controller 5508.
> I'm also setting up WLC-5508 right now on my side.
>
> First, the AAA servers are defined per SSID. So you can specify
> different radius servers (or simply ports) for each SSID
>
> Secondly, you can now customize the NAS-Identifier on a per SSID basis
> (at least in release 7.4)
>
> Finally, the Called-Station-Id will contain the SSID name. If you use
> the policy rewrite_called_station_id it will populate the attribute
> Called-Station-SSID with the SSID Name.
>
> So all the tools to do it easily are in your hands.
>
> Olivier
More information about the Freeradius-Users
mailing list