On Mon, 2016-01-18 at 16:22 +0500, Arthur Fayzullin wrote:
> Thank for such good explanation! that has pointed my search.
>  I have succeed in integration freeradius with freeipa by help of
> William Brown and his blog. Thanks to Him :-)
> Links to related articles in his blog:
> first part: https://firstyear.id.au/entry/22
> second part: https://firstyear.id.au/entry/45

Sorry, my certs are based on my IPA domain. Try these links if you dont
want to temporarily accept.


> everything works fine. now it would be fine to define different admin
> level for different users on different network devices.
> But anyway everything works!!! Thanks to all!

With the setup that I have here you cannot do this. mschapv2 doesn't
let you insert vlan tags to the NAS, so as a result you can't do this.
The way that cisco access points and other vendors get around this, is
that they generally have a wireless controller that does part of the
hankshake seperately to the NAS itself. So as a result, they CAN do
vlan assignment based on tags in the access-accept packet, but it's a

If you want to do vlan assignment without access to cisco specific
hardware, you'll need to use something that isn't eap. However, most
devices require customer profiles in this scenarios (Windows, ios, osx
etc). TTLS for example, cannot be configured on windows out of box, and
ios / osx require enterprise deployment profiles iirc.

You could always setup multiple SSID's, have them each auth to a
different radius service (default, inner-tunnel ... make a new set)

Then you can have

* wifi -> inner-tunnel
* wifi-admin -> inner-tunnel-admin

You can define different authentication rules then, because you can
specify different requirements for group memberships at this point.

Hope this helps,


William Brown
Software Engineer
Red Hat, Brisbane

Attachment: signature.asc
Description: This is a digitally signed message part

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to