Re: FR virtual server question and EAP configuration
Hi On 16. 7. 2010 10:12, Alexander Clouter wrote: Michal Brunckomichal.brun...@gmail.com wrote: I am using FR with WPA2-Enterprise autentification in Wifi environment with this scheme: SSID 1 \ SSID 2 --- AP-- Trunk -- Ruter- FreeRadius SSID 3 / My goal is to configure different security for different SSID through one freeradius with virtual server feature. My first question is, if it's possible to have different FR server configuration per SSID on single Access Point? AP have its IP address from specific managemenet VLAN (different from any SSID X VLAN). I know, that on freeradius side can be configuration separated by client IP address, but in my scenario, the IP of radius client is same for every VLAN/SSID, but the only distinguished part in communication is Called-Station-Id in Access-Request with form:radio-mac:ssid. That's down to your NAS configuration, if your AP (or wireless controller) will let you use a different set of RADIUS servers for each SSID then you are in luck. Yes, I am using Cisco WAP4410N which support this feature. The solutions I prefer. if I was doing this, either, * one SSID, and depending on the type of authentication used, use that to pick VLAN the user is dropped into I am afraid, that vlan membership per client on single SSID is not supported in this model, but it is good idea and I have hard about this only with 802.1X model in LAN, not with WLAN. * with our infernal Cisco WLC, it does include attributes in all the Access-Request packets telling you which SSID the user is connecting to, you could use this with FreeRADIUS's unlang to call a different EAP instance depending on what you want I personally would opt for the first method (as then your FreeRADIUS and 802.1X logic is identical for *wired* connectivity), however you might have Layer-8 reasons for wanting to go with the multiple SSID approach instead. Ok, next question which is related a bit to previously one. I have presumted that freeradius cannot distinguishes between requests from different SSID, so I have configured different IP address of Radius server per SSID configuration on AP and all IP addresses are pointed to single radius server and I want to use one virtual server per listen IP address. But how I should to tell FR server, which EAP configuration must apply to which virtual server? If you have convinced yourself you need to go with the multiple SSID approach, add the following (*untested*) to 'policy.conf': extract_ssid { if (%{request:Called-Station-Id} =~ /^[0-9a-f]{2}(?:-[0-9a-f]{2}){5}:(.+)$/i) if (%{1}) { update request { My-Local-Custom-SSID := %{1} } } else { noop } } else { noop } } Now edit /etc/freeradius/dictionary for a custom string attribute for My-Local-Custom-SSID (or something you prefer). Now when you call 'extract_ssid' from your authorize section, you get a plain attribute called My-Local-Custom-SSID created that has the SSID being used. Thanks! That is exactly what I have looked for. I have realize this in last two days and it is working perfectly :) Example: SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers with installed certificates As a suggestion from experience, unless you actually plan on having real world different firewalling ACL's for each SSID (or backed VLAN) then doing this is not going to give your organisation any benefits. You're right, but I am integrating this scenario in school environment, where SSID 1 is Campus wifi network (composed from multiple AP's) for all students and staff only with internet connectivity and second SSID is wifi network for computer class (notebooks) without wired connectivity and I want integrate that PC's with samba domain (so, successful wifi connection before domain login) and with specific IP rules to our domain and file servers. I want to implement differenet QoS per SSID, because in one of AP's are located both of SSID's. How can I configure this situation with FR Virtual server feature? Can I simply copy, rename and modify eap part from eap.conf to eap_2 and applying it in athorize/authenticate sections in second virtual server? It is enough? I have looking for any example for this scenario but whithout any success. Create multiple 'eap {}' instances (one for TLS and one for PEAP; get these working in isolation *first*) and call then depending on when you need them. Yes, this was glue hint :) Cheers Thank you! bruncko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR virtual server question and EAP configuration
On 2010/07/16 12:34 AM, Michal Bruncko wrote: Hello list SSID 1 \ SSID 2 --- AP -- Trunk -- Ruter - FreeRadius SSID 3 / My goal is to configure different security for different SSID through one freeradius with virtual server feature. This is possible, but with ONE virtual server. My first question is, if it's possible to have different FR server configuration per SSID on single Access Point? Yes. But using ONE virtual server. Called-Station-Id in Access-Request with form: radio-mac:ssid. Why dont you use unlang, e.g. (This is pseodo code!!!) if (Called-Station-Id = SSID1) { pap chap } if (Called-Station-Id = SSID2) { pap mschap } It is enough? I have looking for any example for this scenario but whithout any success. Dont do this. Do the above. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR virtual server question and EAP configuration
Michal Bruncko michal.brun...@gmail.com wrote: I am using FR with WPA2-Enterprise autentification in Wifi environment with this scheme: SSID 1 \ SSID 2 --- AP -- Trunk -- Ruter - FreeRadius SSID 3 / My goal is to configure different security for different SSID through one freeradius with virtual server feature. My first question is, if it's possible to have different FR server configuration per SSID on single Access Point? AP have its IP address from specific managemenet VLAN (different from any SSID X VLAN). I know, that on freeradius side can be configuration separated by client IP address, but in my scenario, the IP of radius client is same for every VLAN/SSID, but the only distinguished part in communication is Called-Station-Id in Access-Request with form: radio-mac:ssid. That's down to your NAS configuration, if your AP (or wireless controller) will let you use a different set of RADIUS servers for each SSID then you are in luck. The solutions I prefer. if I was doing this, either, * one SSID, and depending on the type of authentication used, use that to pick VLAN the user is dropped into * with our infernal Cisco WLC, it does include attributes in all the Access-Request packets telling you which SSID the user is connecting to, you could use this with FreeRADIUS's unlang to call a different EAP instance depending on what you want I personally would opt for the first method (as then your FreeRADIUS and 802.1X logic is identical for *wired* connectivity), however you might have Layer-8 reasons for wanting to go with the multiple SSID approach instead. Ok, next question which is related a bit to previously one. I have presumted that freeradius cannot distinguishes between requests from different SSID, so I have configured different IP address of Radius server per SSID configuration on AP and all IP addresses are pointed to single radius server and I want to use one virtual server per listen IP address. But how I should to tell FR server, which EAP configuration must apply to which virtual server? If you have convinced yourself you need to go with the multiple SSID approach, add the following (*untested*) to 'policy.conf': extract_ssid { if (%{request:Called-Station-Id} =~ /^[0-9a-f]{2}(?:-[0-9a-f]{2}){5}:(.+)$/i) if (%{1}) { update request { My-Local-Custom-SSID := %{1} } } else { noop } } else { noop } } Now edit /etc/freeradius/dictionary for a custom string attribute for My-Local-Custom-SSID (or something you prefer). Now when you call 'extract_ssid' from your authorize section, you get a plain attribute called My-Local-Custom-SSID created that has the SSID being used. Example: SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers with installed certificates As a suggestion from experience, unless you actually plan on having real world different firewalling ACL's for each SSID (or backed VLAN) then doing this is not going to give your organisation any benefits. How can I configure this situation with FR Virtual server feature? Can I simply copy, rename and modify eap part from eap.conf to eap_2 and applying it in athorize/authenticate sections in second virtual server? It is enough? I have looking for any example for this scenario but whithout any success. Create multiple 'eap {}' instances (one for TLS and one for PEAP; get these working in isolation *first*) and call then depending on when you need them. Cheers -- Alexander Clouter .sigmonster says: Conscience is what hurts when everything else feels so good. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR virtual server question and EAP configuration
Hello list I am using FR with WPA2-Enterprise autentification in Wifi environment with this scheme: SSID 1 \ SSID 2 --- AP -- Trunk -- Ruter - FreeRadius SSID 3 / My goal is to configure different security for different SSID through one freeradius with virtual server feature. My first question is, if it's possible to have different FR server configuration per SSID on single Access Point? AP have its IP address from specific managemenet VLAN (different from any SSID X VLAN). I know, that on freeradius side can be configuration separated by client IP address, but in my scenario, the IP of radius client is same for every VLAN/SSID, but the only distinguished part in communication is Called-Station-Id in Access-Request with form: radio-mac:ssid. Ok, next question which is related a bit to previously one. I have presumted that freeradius cannot distinguishes between requests from different SSID, so I have configured different IP address of Radius server per SSID configuration on AP and all IP addresses are pointed to single radius server and I want to use one virtual server per listen IP address. But how I should to tell FR server, which EAP configuration must apply to which virtual server? Example: SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers with installed certificates How can I configure this situation with FR Virtual server feature? Can I simply copy, rename and modify eap part from eap.conf to eap_2 and applying it in athorize/authenticate sections in second virtual server? It is enough? I have looking for any example for this scenario but whithout any success. thanks bruncko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html