Re: Limit access of a SSID to a certain LDAP group
Hello, look in auth-detail here you see the requests from your nas. Here is one request from our Cisco-Wlc (wism): Thu Jan 15 06:01:06 2009 Packet-Type = Access-Request User-Name = gschwarz Calling-Station-Id = 00-1F-5B-D7-3D-53 Called-Station-Id = 00-16-9D-7C-6D-50:UniKoeln-802.1X NAS-Port = 29 NAS-IP-Address = 172.20.30.4 NAS-Identifier = wism-physik-b-1 Airespace-Wlan-Id = 8 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 402 EAP-Message = 0x0202000d01677363687761727a Message-Authenticator = 0xb782030c7bce2f43a6fb92622476c5a2 Huntgroup-Name = WISM Stripped-User-Name = gschwarz Realm = uni-koeln.de SQL-User-Name = gschwarz Here you see the SSID: UniKoeln-802.1X and the vlan (Tunnel-Private-Group-Id:0 = 402) Am Donnerstag, den 15.01.2009, 03:33 +0100 schrieb t...@kalik.net: Interesting, I have a similar situation except that I want to authorize users from one SSID with ActiveDirectory, and from the other SSID with a local mysql. How would I do that? Freeradius doesn't care where is data coming from. You have to use groups. AD groups will also be in Ldap-Group while sql groups will be in SQL-Group. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen Hans-Peter Fuchs Hans-Peter Fuchs - RRZK Zimmer 20 Zentrum für angewandte Informatik - Universitätsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limit access of a SSID to a certain LDAP group
Hello, Maybe I'm just too stupid to figure this one out, but I have been googling around for several days trying to find a solution... I am running freeradius on Mac OS X Server. I have a Cisco WLC runnning several APs with multiple SSIDs. Everything is working fine, except: I have not found a way to limit access of a certain SSID to a certain LDAP group. I need to have different WLANs for different Users who are in LDAP groups. The user of group A should be able to use WLAN A but not WLAN B and so on. How on earth do I configure this? Does anybody have any experience with this? Thanks Qurt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
I need to have different WLANs for different Users who are in LDAP groups. The user of group A should be able to use WLAN A but not WLAN B and so on. How on earth do I configure this? Where is SSID in the request? Called-Station-Id? NAS-Identifier? DEFAULT Ldap-Group == whatever, regex check on the attribute which holds SSID DEFAULT Ldap-Group == another, same for second SSID etc. DEFAULT Auth-Type := Reject (force reject on those that don't match) You can also return group/SSID combination specific attributes there. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
Thanks. I really apprecitate your help. Even though I understand what you are saying, I have no idea where to start looking for the SSID. As far as I can tell, the SSID is not in the request and neither in the NAS-Identifier. A typical log entry looks like this: Wed Jan 14 13:03:20 2009 : Auth: Login OK: [the_user/no User-Password attribute] (from client Cisco 4402 port 29 cli 00-22-69-0A-46-62) Could you clarify that or give me an example? Thanks Qurt On 14.01.2009, at 14:16, t...@kalik.net t...@kalik.net wrote: I need to have different WLANs for different Users who are in LDAP groups. The user of group A should be able to use WLAN A but not WLAN B and so on. How on earth do I configure this? Where is SSID in the request? Called-Station-Id? NAS-Identifier? DEFAULT Ldap-Group == whatever, regex check on the attribute which holds SSID DEFAULT Ldap-Group == another, same for second SSID etc. DEFAULT Auth-Type := Reject (force reject on those that don't match) You can also return group/SSID combination specific attributes there. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
Even though I understand what you are saying, I have no idea where to start looking for the SSID. Access-Request packet. Do radiusd -X debug and request attributes will be displayed. As far as I can tell, the SSID is not in the request and neither in the NAS-Identifier. If it's not in the request - you can't filter by it. Read AP documentation to see how can you get SSID into a radius attribute. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
I need to have different WLANs for different Users who are in LDAP groups. The user of group A should be able to use WLAN A but not WLAN B and so on. How on earth do I configure this? Where is SSID in the request? Called-Station-Id? NAS-Identifier? DEFAULT Ldap-Group == whatever, regex check on the attribute which holds SSID DEFAULT Ldap-Group == another, same for second SSID etc. DEFAULT Auth-Type := Reject (force reject on those that don't match) Interesting, I have a similar situation except that I want to authorize users from one SSID with ActiveDirectory, and from the other SSID with a local mysql. How would I do that? -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
Interesting, I have a similar situation except that I want to authorize users from one SSID with ActiveDirectory, and from the other SSID with a local mysql. How would I do that? Freeradius doesn't care where is data coming from. You have to use groups. AD groups will also be in Ldap-Group while sql groups will be in SQL-Group. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
