Per-user authorization and Wifi ? Not Possible ?

[Mathieu Benard]

Hello, here is my question:
In theory, it is possible for a NAS to honore and send a lot of RADIUS 
and VSA attributes, to permit precise per-user authorization tunning 
(for exemple per-user ACL, with Filter-Id or VSA...). But in the case 
where the NAS is an Access-Point, is it possible to manage authorization 
like this too ?

I'm working on a Cisco Aironet 1200, and in the doc they said that it's 
possible to use per-user authorization for Administrative users of the 
access-point, but they say nothing about normal users (ie: Wifi users), 
and the listed supported Radius attributes are not including the ones 
needed to do that.

Is there AAA limitations about Wifi ?
Is it impossible to use the RADIUS authorization features in Wireless 
domain (maybe the problem is that an AP is more a 2-layer equipement) ?
Maybe some Access-Point can do that and some others can't ?

Thanks in advance
--
Mafioo
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Per-user authorization and Wifi ? Not Possible ?

[Guy Davies]

Hi,

This is entirely dependent upon the NAS.  Some vendors' NASes provide
great flexibility in per-user authorization while others provide very
limited functionality beyond a simple permit/reject.  IIRC, the Cisco
Aironet 1200 relies (or at least used to rely) on the SSID selected by
the user to identify the VLAN to which the user should be connected.
Also, Cisco's VSAs use a totally bizarre format that provides them with
extensibility beyond the 255 attributes per VendorID.  They are usually
of the form Cisco-VSA=Sub-Attribute=value.  Other vendors use VSAs to
specify the VLAN in the RADIUS-response.

There are no inherent limitations associated with WiFi, that I know of.

Regards,

Guy

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On 
 Behalf Of Mathieu Benard
 Sent: 18 May 2005 15:00
 To: freeradius-users@lists.freeradius.org
 Subject: Per-user authorization and Wifi ? Not Possible ?
 
 
 Hello, here is my question:
 
 In theory, it is possible for a NAS to honore and send a lot 
 of RADIUS 
 and VSA attributes, to permit precise per-user authorization tunning 
 (for exemple per-user ACL, with Filter-Id or VSA...). But in the case 
 where the NAS is an Access-Point, is it possible to manage 
 authorization 
 like this too ?
 
 I'm working on a Cisco Aironet 1200, and in the doc they said 
 that it's 
 possible to use per-user authorization for Administrative 
 users of the 
 access-point, but they say nothing about normal users (ie: 
 Wifi users), 
 and the listed supported Radius attributes are not including the ones 
 needed to do that.
 
 Is there AAA limitations about Wifi ?
 Is it impossible to use the RADIUS authorization features in Wireless 
 domain (maybe the problem is that an AP is more a 2-layer 
 equipement) ? Maybe some Access-Point can do that and some 
 others can't ?
 
 Thanks in advance
 
 --
 Mafioo
 
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 

This e-mail is private and may be confidential and is for the intended 
recipient only.  If misdirected, please notify us by telephone and confirm that 
it has been deleted from your system and any copies destroyed.  If you are not 
the intended recipient you are strictly prohibited from using, printing, 
copying, distributing or disseminating this e-mail or any information contained 
in it.  We use reasonable endeavours to virus scan all e-mails leaving the 
Company but no warranty is given that this e-mail and any attachments are virus 
free.  You should undertake your own virus checking.  The right to monitor 
e-mail communications through our network is reserved by us. 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html