Matt, It seems that either way (802.1x or Web based authentication) you have to block between authentication and authorization. Return the LDAP status field (student/fac/staff), and if source is Faculty subnet and status field is Student > deny
With 802.1x, in the Radiator Radius server, I can check to originating SSID then introduce a condition (PERL script!)in my config that matches SSID and LDAP fields. (don't count on IP addresses with 802.1x...it's a layer 2 protocol!) With a Web front end, you know the originating IP address (GetIP!) compare it to the LDAP field that you care about. Philippe Hanset University of Tennessee On Thu, 9 Nov 2006, Matt Ashfield wrote: > For those of you who are using multiple SSID's, how are you ensuring > that the clients connect to the same one? > > For example, if we were to do 2 ssid's, one for staff, one for students, > we'd have to find a way that would prevent students from connecting to the > staff ssid and vice-versa, because they'd be authenticating against the same > LDAP database (ie, same field names). > > Cheers > > Matt > [EMAIL PROTECTED] > > > -----Original Message----- > From: Stan Brooks [mailto:[EMAIL PROTECTED] > Sent: November 7, 2006 4:15 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] How many SSID's? > > Tom, > > Running multiple SSIDs will eat some channel bandwidth. Each SSID will > beacon around 10 times a second, so 6 SSIDs means 60 beacons a second. > > Also, most clients behave badly when different SSIDs share the same > BSSID (wireless MAC of the AP), so may sure your vendor supports > multiple BSSIDs. This is usually limited by the underlying wireless > chipset. Our vendor, Aruba, supports 8 BSSIDs/radio. I prefer to limit > the number of SSIDs to a smaller number than our hard limit of 8 - 4 to > 5 SSIDs at any one AP (but I am getting some pressure to address some > "one-off" networks in some areas). > > In looking over your list, I would suggest combining the VPN and guest > SSIDs as both are open access, and your VPN server is probably reachable > through what ever guest firewall rules you've applied. > > We've not addressed the appliances like TiVo or game consoles for > wireless access - they are "not supported at this time". A separate > SSID is an interesting way to handle those devices. > > All of our authenticated users are coming in via WPA/802.1x or VPN (from > our guest SSID). We haven't signed up for EduRoam, so we support > visiting scholars through our guest SSID - they just have to VPN to > their home school or organization. > > Additionally, we have a separate wireless network for our Healthcare > organization (3+ hospitals, etc) which has a WPA/802.1x SSID as well as > guest access SSID and Wireless ViOP SSID. We are investigating the > ramifications of merging the two networks together into a single managed > network. > > >>-> Stan Brooks - CWNA/CWSP > Emory University > Network Communications Division > 404.727.0226 > [EMAIL PROTECTED] > AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] > > > -------- Original Message -------- > From: Tom Zeller > Date: 11/7/2006 12:12 PM > > > I am also thinking about using multiple SSIDs and I'm wondering how > > significant the overhead is. Without working too hard I can think of 6 > > distinct networks: > > > > 1. Legacy VPN-protected > > 2. 802.1x > > 3. Guest > > 4. EduRoam > > (Travelling scholars can use their home RADIUS server to use WiFi) > > 5. Ad Hoc local department network with legit special need (Health > Center?) > > 6. Appliances - for Tivos, game consoles, whatever. > > access via mac address registration > > access to internet, with some blocks, but not campus > > perhaps access across the dorm network > > > > > > Tom Zeller > > Indiana University > > [EMAIL PROTECTED] > > 812-855-6214 > > > > ********** > > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
