Nick Kartsioukas <lists.freerad...@change.nightwind.net> wrote:
>
> Thanks for the hints! I think I've got my eap.conf set up as I need it.
> After some errors from freeradius and further document exploration, it
> looks like what I need for the authorize section is this:
> rewrite_called_station_id
>
> if(Called-Station-Ssid == "staff") {
> mschap_staff
> }
> if(Called-Station-Ssid == "lab") {
> mschap_lab
> }
> if(Called-Station-Ssid == "student_wpa") {
> ldap
> }
> if(Called-Station-Ssid == "student") {
> ldap
> }
>
I would *strongly* recommend you run just one SSID and use VLAN
assignment in post-auth to
----
post-auth {
...
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := "unauthorised"
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (Ldap-Group == foobar) {
update reply {
Tunnel-Private-Group-Id := "staff"
}
}
else {
...
}
}
----
The huge advantage is that *every* user at your organisation can follow
the same instructions to connect to the wireless (and wired) network.
It is also then trivial to put in 'eduroam'; if you use 'eduroam' from
day one (*strongly* recommended to avoid pain down the road).
Cheers
--
Alexander Clouter
.sigmonster says: Youth is the trustee of posterity.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
