VLAN Assignment with RADIUS

Brian Candler b.candler at pobox.com
Thu Dec 22 21:08:16 CET 2016 

On 22/12/2016 15:35, Valentin Heidelberger wrote:
> I am trying to do the following with RADIUS
>
> There is 1 AP with 2 SSIDs - lets cal them "B" and "P"
>
> I want RADIUS to assign VLAN20 to "P" and VLAN40 to "B"
What kind of access point?  Most access points that I know of will let 
you statically assign different SSIDs to different VLANs.
> I have found no other method online than configuring static users in the
> users file with VLANs assigned to them. In my setup users are
> authenticated with LDAP. Do I really have to assign every single user
> the VLAN or is there a simpler way like assigning the VLAN to a virtual
> server running on a different port or something focussed on the SSIDs?

Well you *could* point the two SSIDs to two different radius servers (or 
radius server ports).

But it would probably be simpler to run a single RADIUS server, then you 
have to look at some attribute in the *request* packet which lets you 
determine which SSID the user is connecting to.

For example, here's what an Access-Request for a Unifi access point 
looks like:

Thu Dec 22 17:17:52 2016
         Packet-Type = Access-Request
         User-Name = "brian.candler"
         NAS-IP-Address = 10.15.0.22
         NAS-Identifier = "24a43cxxxxxx"
         NAS-Port = 0
         Called-Station-Id = "24-A4-3C-xx-xx-xx:My SSID"
         Calling-Station-Id = "F8-E0-79-xx-xx-xx"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11b"
         EAP-Message = 0x....
         State = 0x....
         Message-Authenticator = 0x....
         Event-Timestamp = "Dec 22 2016 17:17:52 UTC"
         Timestamp = 1482427072

So *for this particular type of device* you can match on Called-Station-Id:

     if (&Called-Station-Id =~ /:SSID P$/) {
         update reply {
             &Tunnel-Type := VLAN
             &Tunnel-Medium-Type = IEEE-802
             &Tunnel-Private-Group-Id = "20"
         }
     }
     elsif (&Called-Station-Id =~ /:SSID B$/) {
         update reply {
             &Tunnel-Type := VLAN
             &Tunnel-Medium-Type = IEEE-802
             &Tunnel-Private-Group-Id = "40"
         }
     }

Your access points may be different.

More information about the Freeradius-Users mailing list