HI Joel,
I think the issue here is that the D-Link AP's you have are rather
limited.
Radius can not ever assign an SSID because that step occurs before the
user authenticated. Wireless starts with an association from the user
to the AP's SSID from there the AP decides what needs to happen.
Radius can affect VLAN's (generally at least in the Cisco world with
'Tunnel-Private-Group-ID', like you meantioned) but you'll never be able
to force a user to switch SSID's because that is client controlled.
AP's map VLAN's to SSID's internally some allow n to 1 and 1 to n
relationships, others like your d-links only allow a direct mapping.
Basically it sounds like you are limited by the constraints of you NAS.
Joe Vieira
UNIX Systems Administrator
Clark University
Joel MBA OYONE wrote:
Alan,
I possess a device from D-Link (DWS-3024). it is a wireless switch
controler, and the documentation says that:
- One SSID has to be affect to one VLAN on the profile.
- An Access point could be configured with up to 8 ifferent SSIDs and
it is possible to affect each SSID on its own network (below is a link
which show you the config page) or all SSID on the same network.
maybe i didn't read it correctly, so here is the link (see page 89-90
and maybe 91 too.):
ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf
i asked you stuffs about SSIDs/VLAN cause all my APs (about 30) will
receive the same profile, and the profile will have 3 differents SSIDS
with diffrents security access levels and network from the wireless
switch.
for example, in the same room, associated to the same AP, students and
teachers will connect to diffrent SSIDs coming from that same AP, and
some will have to athenticate via EAP-PEAP, other will require EAP-TLS.
this other short file explain point to point what is my config and
waht i am trying to do:
ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf
read it and maybe you could understand me.
regards
Joel MBA OYONE wrote:
>> No. VLAN assignment is after SSID association, and after 802.1x
>> authentication.
>
> OK, is it possible to associate in SSID_1 and be assigned to a different
> VLAN than the we are associated in ?
That doesn't make sense. SSID's aren't tied to VLANs, unless you
configure them that way.
> (exemple, when i am associated to
> SSID_1, which belongs to VLAN100,
No... SSID's have nothing to do with VLAN's.
> RADIUS sends me
> "Tunnel-Private-Group-ID = 200", which belongs to another SSID, what
> would happen and would authentication process success?)
Read your NAS documentation to see how to do VLAN assignment, and how
it interacts with SSID's.
> - if i am assigned to another couple of SSID/VLAN than the one i am
> connected now by RADIUS, would authentication process restart at the
> beginning?
Stop talking about "SSID/VLAN". They are separate things.
When you do VLAN assignment with RADIUS, you do NOT need to
re-authenticate.
> - is it possible to do EAP-TLS, EAP-PEAP and EAP-MD5 without the use of
> 802.1x when RADIUS is the authentication Server for a supplicant?
What does that mean?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection
possible contre les messages non sollicités
http://mail.yahoo.fr Yahoo! Mail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
