VLAN Assignment with RADIUS

Valentin Heidelberger heidelberger at univention.de
Fri Dec 23 14:18:41 CET 2016 

Thank you very much! The replies already helped a lot.

Now I am just wondering where exactly I would have to put that one
config, which was suggested:

if (&Called-Station-Id =~ /:SSID P$/) {
        update reply {
            &Tunnel-Type := VLAN
            &Tunnel-Medium-Type = IEEE-802
            &Tunnel-Private-Group-Id = "20"
        }
    }
    elsif (&Called-Station-Id =~ /:SSID B$/) {
        update reply {
            &Tunnel-Type := VLAN
            &Tunnel-Medium-Type = IEEE-802
            &Tunnel-Private-Group-Id = "40"
        }
    }

Besides I am wondering, if someone has ever tried to do this via LDAP?
Is Radius capable of using a LDAP attribute to match a VLAN to a user
logging in?

Thanks again!

On 22.12.2016 21:08, Brian Candler wrote:
> On 22/12/2016 15:35, Valentin Heidelberger wrote:
>> I am trying to do the following with RADIUS
>>
>> There is 1 AP with 2 SSIDs - lets cal them "B" and "P"
>>
>> I want RADIUS to assign VLAN20 to "P" and VLAN40 to "B"
> What kind of access point?  Most access points that I know of will let
> you statically assign different SSIDs to different VLANs.
>> I have found no other method online than configuring static users in the
>> users file with VLANs assigned to them. In my setup users are
>> authenticated with LDAP. Do I really have to assign every single user
>> the VLAN or is there a simpler way like assigning the VLAN to a virtual
>> server running on a different port or something focussed on the SSIDs?
> 
> Well you *could* point the two SSIDs to two different radius servers (or
> radius server ports).
> 
> But it would probably be simpler to run a single RADIUS server, then you
> have to look at some attribute in the *request* packet which lets you
> determine which SSID the user is connecting to.
> 
> For example, here's what an Access-Request for a Unifi access point
> looks like:
> 
> Thu Dec 22 17:17:52 2016
>         Packet-Type = Access-Request
>         User-Name = "brian.candler"
>         NAS-IP-Address = 10.15.0.22
>         NAS-Identifier = "24a43cxxxxxx"
>         NAS-Port = 0
>         Called-Station-Id = "24-A4-3C-xx-xx-xx:My SSID"
>         Calling-Station-Id = "F8-E0-79-xx-xx-xx"
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-802.11
>         Connect-Info = "CONNECT 0Mbps 802.11b"
>         EAP-Message = 0x....
>         State = 0x....
>         Message-Authenticator = 0x....
>         Event-Timestamp = "Dec 22 2016 17:17:52 UTC"
>         Timestamp = 1482427072
> 
> So *for this particular type of device* you can match on Called-Station-Id:
> 
>     if (&Called-Station-Id =~ /:SSID P$/) {
>         update reply {
>             &Tunnel-Type := VLAN
>             &Tunnel-Medium-Type = IEEE-802
>             &Tunnel-Private-Group-Id = "20"
>         }
>     }
>     elsif (&Called-Station-Id =~ /:SSID B$/) {
>         update reply {
>             &Tunnel-Type := VLAN
>             &Tunnel-Medium-Type = IEEE-802
>             &Tunnel-Private-Group-Id = "40"
>         }
>     }
> 
> Your access points may be different.
> 

-- 
Valentin Heidelberger
IT Systems Integrator Apprentice

Univention Summit | 26. und 27.01.2017 | Universum | Bremen
www.univention-summit.de | www.univention-summit.com

Univention GmbH
be open.
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-96
Fax : +49 421 22232-99

heidelberger at univention.de
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876

More information about the Freeradius-Users mailing list