Re: FR virtual server question and EAP configuration
Hi
On 16. 7. 2010 10:12, Alexander Clouter wrote:
Michal Brunckomichal.brun...@gmail.com wrote:
I am using FR with WPA2-Enterprise autentification in Wifi environment
with this scheme:
SSID 1 \
SSID 2 --- AP-- Trunk -- Ruter- FreeRadius
SSID 3 /
My goal is to configure different security for different SSID through
one freeradius with virtual server feature.
My first question is, if it's possible to have different FR server
configuration per SSID on single Access Point? AP have its IP address
from specific managemenet VLAN (different from any SSID X VLAN). I know,
that on freeradius side can be configuration separated by client IP
address, but in my scenario, the IP of radius client is same for every
VLAN/SSID, but the only distinguished part in communication is
Called-Station-Id in Access-Request with form:radio-mac:ssid.
That's down to your NAS configuration, if your AP (or wireless
controller) will let you use a different set of RADIUS servers for each
SSID then you are in luck.
Yes, I am using Cisco WAP4410N which support this feature.
The solutions I prefer. if I was doing this, either,
* one SSID, and depending on the type of authentication used, use that
to pick VLAN the user is dropped into
I am afraid, that vlan membership per client on single SSID is not
supported in this model, but it is good idea and I have hard about this
only with 802.1X model in LAN, not with WLAN.
* with our infernal Cisco WLC, it does include attributes in all the
Access-Request packets telling you which SSID the user is
connecting to, you could use this with FreeRADIUS's unlang to
call a different EAP instance depending on what you want
I personally would opt for the first method (as then your FreeRADIUS and
802.1X logic is identical for *wired* connectivity), however you might
have Layer-8 reasons for wanting to go with the multiple SSID approach
instead.
Ok, next question which is related a bit to previously one. I have
presumted that freeradius cannot distinguishes between requests from
different SSID, so I have configured different IP address of Radius
server per SSID configuration on AP and all IP addresses are pointed to
single radius server and I want to use one virtual server per listen IP
address. But how I should to tell FR server, which EAP configuration
must apply to which virtual server?
If you have convinced yourself you need to go with the multiple SSID
approach, add the following (*untested*) to 'policy.conf':
extract_ssid {
if (%{request:Called-Station-Id} =~
/^[0-9a-f]{2}(?:-[0-9a-f]{2}){5}:(.+)$/i)
if (%{1}) {
update request {
My-Local-Custom-SSID := %{1}
}
}
else {
noop
}
}
else {
noop
}
}
Now edit /etc/freeradius/dictionary for a custom string attribute for
My-Local-Custom-SSID (or something you prefer). Now when you call
'extract_ssid' from your authorize section, you get a plain attribute
called My-Local-Custom-SSID created that has the SSID being used.
Thanks! That is exactly what I have looked for. I have realize this in
last two days and it is working perfectly :)
Example:
SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients
SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers
with installed certificates
As a suggestion from experience, unless you actually plan on having real
world different firewalling ACL's for each SSID (or backed VLAN) then
doing this is not going to give your organisation any benefits.
You're right, but I am integrating this scenario in school environment,
where SSID 1 is Campus wifi network (composed from multiple AP's) for
all students and staff only with internet connectivity and second SSID
is wifi network for computer class (notebooks) without wired
connectivity and I want integrate that PC's with samba domain (so,
successful wifi connection before domain login) and with specific IP
rules to our domain and file servers. I want to implement differenet QoS
per SSID, because in one of AP's are located both of SSID's.
How can I configure this situation with FR Virtual server feature? Can I
simply copy, rename and modify eap part from eap.conf to eap_2 and
applying it in athorize/authenticate sections in second virtual server?
It is enough? I have looking for any example for this scenario but
whithout any success.
Create multiple 'eap {}' instances (one for TLS and one for PEAP; get
these working in isolation *first*) and call then depending on when you
need them.
Yes, this was glue hint :)
Cheers
Thank you!
bruncko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR virtual server question and EAP configuration
On 2010/07/16 12:34 AM, Michal Bruncko wrote:
Hello list
SSID 1 \
SSID 2 --- AP -- Trunk -- Ruter - FreeRadius
SSID 3 /
My goal is to configure different security for different SSID through
one freeradius with virtual server feature.
This is possible, but with ONE virtual server.
My first question is, if it's possible to have different FR server
configuration per SSID on single Access Point?
Yes. But using ONE virtual server.
Called-Station-Id in Access-Request with form: radio-mac:ssid.
Why dont you use unlang, e.g.
(This is pseodo code!!!)
if (Called-Station-Id = SSID1)
{
pap
chap
}
if (Called-Station-Id = SSID2)
{
pap
mschap
}
It is enough? I have looking for any example for this scenario but
whithout any success.
Dont do this.
Do the above.
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR virtual server question and EAP configuration
Michal Bruncko michal.brun...@gmail.com wrote:
I am using FR with WPA2-Enterprise autentification in Wifi environment
with this scheme:
SSID 1 \
SSID 2 --- AP -- Trunk -- Ruter - FreeRadius
SSID 3 /
My goal is to configure different security for different SSID through
one freeradius with virtual server feature.
My first question is, if it's possible to have different FR server
configuration per SSID on single Access Point? AP have its IP address
from specific managemenet VLAN (different from any SSID X VLAN). I know,
that on freeradius side can be configuration separated by client IP
address, but in my scenario, the IP of radius client is same for every
VLAN/SSID, but the only distinguished part in communication is
Called-Station-Id in Access-Request with form: radio-mac:ssid.
That's down to your NAS configuration, if your AP (or wireless
controller) will let you use a different set of RADIUS servers for each
SSID then you are in luck.
The solutions I prefer. if I was doing this, either,
* one SSID, and depending on the type of authentication used, use that
to pick VLAN the user is dropped into
* with our infernal Cisco WLC, it does include attributes in all the
Access-Request packets telling you which SSID the user is
connecting to, you could use this with FreeRADIUS's unlang to
call a different EAP instance depending on what you want
I personally would opt for the first method (as then your FreeRADIUS and
802.1X logic is identical for *wired* connectivity), however you might
have Layer-8 reasons for wanting to go with the multiple SSID approach
instead.
Ok, next question which is related a bit to previously one. I have
presumted that freeradius cannot distinguishes between requests from
different SSID, so I have configured different IP address of Radius
server per SSID configuration on AP and all IP addresses are pointed to
single radius server and I want to use one virtual server per listen IP
address. But how I should to tell FR server, which EAP configuration
must apply to which virtual server?
If you have convinced yourself you need to go with the multiple SSID
approach, add the following (*untested*) to 'policy.conf':
extract_ssid {
if (%{request:Called-Station-Id} =~
/^[0-9a-f]{2}(?:-[0-9a-f]{2}){5}:(.+)$/i)
if (%{1}) {
update request {
My-Local-Custom-SSID := %{1}
}
}
else {
noop
}
}
else {
noop
}
}
Now edit /etc/freeradius/dictionary for a custom string attribute for
My-Local-Custom-SSID (or something you prefer). Now when you call
'extract_ssid' from your authorize section, you get a plain attribute
called My-Local-Custom-SSID created that has the SSID being used.
Example:
SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients
SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers
with installed certificates
As a suggestion from experience, unless you actually plan on having real
world different firewalling ACL's for each SSID (or backed VLAN) then
doing this is not going to give your organisation any benefits.
How can I configure this situation with FR Virtual server feature? Can I
simply copy, rename and modify eap part from eap.conf to eap_2 and
applying it in athorize/authenticate sections in second virtual server?
It is enough? I have looking for any example for this scenario but
whithout any success.
Create multiple 'eap {}' instances (one for TLS and one for PEAP; get
these working in isolation *first*) and call then depending on when you
need them.
Cheers
--
Alexander Clouter
.sigmonster says: Conscience is what hurts when everything else feels so good.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR virtual server question and EAP configuration
Hello list I am using FR with WPA2-Enterprise autentification in Wifi environment with this scheme: SSID 1 \ SSID 2 --- AP -- Trunk -- Ruter - FreeRadius SSID 3 / My goal is to configure different security for different SSID through one freeradius with virtual server feature. My first question is, if it's possible to have different FR server configuration per SSID on single Access Point? AP have its IP address from specific managemenet VLAN (different from any SSID X VLAN). I know, that on freeradius side can be configuration separated by client IP address, but in my scenario, the IP of radius client is same for every VLAN/SSID, but the only distinguished part in communication is Called-Station-Id in Access-Request with form: radio-mac:ssid. Ok, next question which is related a bit to previously one. I have presumted that freeradius cannot distinguishes between requests from different SSID, so I have configured different IP address of Radius server per SSID configuration on AP and all IP addresses are pointed to single radius server and I want to use one virtual server per listen IP address. But how I should to tell FR server, which EAP configuration must apply to which virtual server? Example: SSID 1: Security WPA2-Ent. with EAP-PEAP, for authorized mobile clients SSID 2: Security WPA2-Ent. with EAP-TLS, for persistent wifi computers with installed certificates How can I configure this situation with FR Virtual server feature? Can I simply copy, rename and modify eap part from eap.conf to eap_2 and applying it in athorize/authenticate sections in second virtual server? It is enough? I have looking for any example for this scenario but whithout any success. thanks bruncko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
