Different authentication for Multiple SSIDs

Alan DeKok aland at deployingradius.com
Tue Apr 4 14:43:39 UTC 2023 


> On Apr 4, 2023, at 8:52 AM, ChristopherNeufer Neufer via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Hello Together,
> right now im trying to configure a Radiusserver with two different authentication mehtods.
> We have two SSIDs 
> 
> SSID1: WLAN-TLS
> SSID2: WLAN-TLS-MSCHAPv2
> For SSID1 only EAP-TLS should work.For SSID2, EAP-TLS and MSCHAPv2 should work.

  At a high level:

	if (SSID1 && !EAP-TLS) {
		reject
	}

	if (SSID2 && (!EAP-TLS || !PEAP)) {
		reject
	}

  The next step is to convert the "high level" configuration to actual "unlang".

  You can check the SSID, as the "rewrite_called_station_id" policy puts it into the Called-Station-SSID attribute.

  You can check the EAP type by looking at the EAP-Type attribute.  This is described in the "default" virtual server.

  The only remaining thing is *where* to put these checks.  The key is tat EAP-Type is only available	*after* the EAP module has been run.  Because no other module understands EAP.

  So the best place to out it is after the EAP module somewhere.  And the simplest place is in the "authenticate" section.

> Im no sure, how to get this working.
> This is my sites-enabled config:
> server default {
> listen {
>         type = auth
>         ipv4addr = 192.168.0.2
>         port = 0
>         limit {
>               max_connections = 16
>               lifetime = 0
>               idle_timeout = 30
>         }
> }

  The "limit" section isn't used for UDP listeners.  You can just delete that.

> authorize {
>         rewrite_called_station_id
>         if (Called-Station-SSID == "WLAN-TLS") {         eap {
>                 ok = return
>         }

  Move that "if" check to the "authenticate" section.

>         }
>         preprocess
>         mschap
>         suffix
>         files
>         Autz-Type New-TLS-Connection {
>                   ok
>         }

  There's no need to have a section doing nothing other than "return OK".  This Auto-Type section can be deleted.

> authenticate {
> 
>         Auth-Type MS-CHAP {
>                 mschap
>         }
> 
>         mschap

  Note that you will *never* get MS-CHAP authentications for WiFi.  PEAP will be used instead.

>         eap

  Change this to:

	Auth-Type eap {
		eap
		if (Called-Station-SSID == "WLAN-TLS" && EAP-Type != EAP-TLS) {
			reject
		}

		
		if (Called-Station-SSID == "WLAN-TLS-MSCHAP" && !(EAP-Type == EAP-TLS) || (EAP-Type == PEAP)) {
			reject
		}

	}


> I played around a bit with "Called-Station-SSID" but i could not get it work.

  Define "played around"....

  Randomly changing things isn't useful.  Taking a methodical approach is much better.  If you had written things out as I did at the start of the message, you could quickly identify which bits you understood well, and which bits you needed help with.

  If instead you're randomly changing things, then you're not clear on what you need to do.  So your starting point is a complete unknown, and it's much more likely you'll end up floundering, and being unable to make progress.

  Alan DeKok.

More information about the Freeradius-Users mailing list