Serving multiple groups of users - by SSID

Alex Gregory alex at c2company.com
Mon Aug 18 23:39:56 CEST 2014 

This caught my eye on how I am trying to things and that my approach might be incorrect.  

Might this practice be better than I am trying to do with post auth and passing filter-id variable based on LDAP group?

Marcus, in his example, has different AP’s with certain users being able to access each.  I have an AP with two SSID’s being served from it.  Similar need but slightly different implementation.

I have two groups of users and two LDAP groups:

SSID - Company_Corp
with users in "ou=corp,ou=Users,dc=team,dc=company,dc=com"

and

SSID - Company_Dev
with users in "ou=dev,ou=Users,dc=team,dc=company,dc=com"

I was going to LDAP group match and pass that down in a variable to the Meraki to apply firewall filters.  Is it better to do this with virtual servers and more than one LDAP lookup?

Could I have two LDAP modules with two virtual servers with each looking at a specific group without the sub flag enabled?  Then I could just point each network at a different port for Radius lookups on the same host. 

What is the proper way to configure this with 3.x?

Thanks,

Alex




On Aug 17, 2014, at 3:24 PM, <A.L.M.Buxey at lboro.ac.uk> <A.L.M.Buxey at lboro.ac.uk> wrote:

> Hi,
> 
>> This is my use case. I have 2 dept: A & B. I want to provide WPA2-Enterprise
>> to both dept A & B, who have different groups of end users. But I do not
>> want them to mix, i.e.
>> 
>> If a end user from dept A tries to connect to a Wifi AP that belongs to dept
>> A, the authentication would be successful.
>> If a end user from dept A tries to connect to a Wifi AP that belongs to dept
>> B, the authentication would fail.
> 
> yes, this is very common
> 
>> I can create 2 virtual servers and point the group of Wifi AP from Dept A to
>> virtual server 1 and dept B to Virtual Server 2. But how would the virtual
>> server knows which authentication to allow and which to block? From what I
>> understand, the 2 virtual servers will share the same sql module. That is my
>> dilemma.
> 
> errr. nope. they can have totally different logic - and you need to look
> at named instances of eg SQL module - you've just got sql - you can have 'groupA-sql' and 'groupB-sql' each looking at a different database
> 
>> Method 1. Taking advantage of the fact that all wifi AP of a dept will point
>> to a particular virtual server, I modify the authorize_check_query to use
>> the listening address/port of the virtual server as a selection criteria
> 
> in fact, you dont need to listen on different ports - use the 'virtual_server'
> directive in clients.conf so requests from those APs (based on IP address)
> go to a different virtual server.
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list