Self Service Kiosk / Workflow to trust untrusted devices to add them to personal VLAN dynamically

Stefan Mueller stefan.mueller.83 at gmail.com
Sat Jan 1 16:59:42 CET 2022


Hi Matthew,
Thx for replying that quickly 😀, so you say it is technically feasible?
I do ask as you highlight
*There's may not be much more you can do as*
*most things won't support different VLANs on WPA2-PSK.*

There is very detailed tutorial how to realise dynamic VLAN assignment
using MikroTik equipment and FreeRADIUS, see
https://administrator.de/tutorial/dynamische-vlan-zuweisung-fuer-wlan-u-lan-clients-mit-mikrotik-512768.html#toc-13
(is in German).
If that the only concern, that is not showstopper.

GUI could be done using home automation system what can speak to FreeRADIUS
using its APIs if all can be done through APIs?

sent from a fair mobile

On Sat, 1 Jan 2022, 16:22 Matthew Newton, <mcn at freeradius.org> wrote:

> On 01/01/2022 14:52, Stefan Mueller wrote:
> > Is it somehow possible to allow each resident to open an GUI and select
> > untrusted devices (devices connected to the WPA2 PSK) and just click on a
> > button to make them trusted, so their VLAN assignment will be change,
> means
> > FreeRADIUS changes the following
> > Mikrotik-Wireless-VLANID := 10,
> > Mikrotik-Wireless-VLANID-Type := 0,
> > due to this *workflow *triggered by an trusted user via the GUI?
>
> Make sure your equipment can support different VLANs on the WPA2-PSK
> network somehow (that's definitely not a given)
>
> Create a database
>
> Write a GUI to update the database
>
> Possibly have something to collect information about the printers /
> devices etc on the network and add them to the database (or do this in
> the GUI)
>
> Configure FreeRADIUS upon authentication to read the database and set
> the correct attributes in the reply.
>
> The last bit is the easy bit. You'll have to write the rest yourself.
>
> Depending on the wireless equipment you'll possibly be better to add
> another SSID for the printers and then use the database to restrict
> access based on MAC address. There's may not be much more you can do as
> most things won't support different VLANs on WPA2-PSK.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list