Serving multiple groups of users

A.L.M.Buxey at A.L.M.Buxey at
Mon Aug 18 00:24:29 CEST 2014


> This is my use case. I have 2 dept: A & B. I want to provide WPA2-Enterprise
> to both dept A & B, who have different groups of end users. But I do not
> want them to mix, i.e.
> If a end user from dept A tries to connect to a Wifi AP that belongs to dept
> A, the authentication would be successful.
> If a end user from dept A tries to connect to a Wifi AP that belongs to dept
> B, the authentication would fail.

yes, this is very common

> I can create 2 virtual servers and point the group of Wifi AP from Dept A to
> virtual server 1 and dept B to Virtual Server 2. But how would the virtual
> server knows which authentication to allow and which to block? From what I
> understand, the 2 virtual servers will share the same sql module. That is my
> dilemma.

errr. nope. they can have totally different logic - and you need to look
at named instances of eg SQL module - you've just got sql - you can have 'groupA-sql' and 'groupB-sql' each looking at a different database

> Method 1. Taking advantage of the fact that all wifi AP of a dept will point
> to a particular virtual server, I modify the authorize_check_query to use
> the listening address/port of the virtual server as a selection criteria

in fact, you dont need to listen on different ports - use the 'virtual_server'
directive in clients.conf so requests from those APs (based on IP address)
go to a different virtual server.


More information about the Freeradius-Users mailing list