LDAP authentication filter based on source SSID

Gustavo Vieira Oliveira gustavov at sc.senai.br
Fri Jul 12 17:18:45 CEST 2013

I forgot to say that we use H-REAP so we do not authenticate it in the WLC


Gustavo Vieira Oliveira

GETIC - Gerência de Tecnologia da Informação
SUSERV - Superintendência de Serviços Compartilhados

Sistema FIESC
Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC
Fone (48) 32314699 - Ramal 44699

Em 12/07/2013 12:14, Olivier Beytrison escreveu:
> On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote:
>> I need some help with RADIUS regarding Wireless authentication with
> Hello. which version of freeradius are you running ?
>> I need to check if the user has permission to connect to a specific
>> SSID, so we check a LDAP attribute for that.
> Pretty easy
>> By that, we need to know from which SSID the authentication is being
>> requested so we use a specific LDAP Filter to search the base and grant
>> or deny the permission.
>> We tried to use two instances of RADIUS, one per SSID, but the Wireless
>> Controller doesn't seem to support it (supports only one AAA per AP).
> oh what ?
>> That's why i'm asking for help in case you people have some alternatives
>> or ideas to solve it.
>> The setup is based on Cisco Wireless Controller 5508.
> I'm also setting up WLC-5508 right now on my side.
> First, the AAA servers are defined per SSID. So you can specify
> different radius servers (or simply ports) for each SSID
> Secondly, you can now customize the NAS-Identifier on a per SSID basis
> (at least in release 7.4)
> Finally, the Called-Station-Id will contain the SSID name. If you use
> the policy rewrite_called_station_id it will populate the attribute
> Called-Station-SSID with the SSID Name.
> So all the tools to do it easily are in your hands.
> Olivier

More information about the Freeradius-Users mailing list