We do exactly this with Freeradius as well. We key off of an ldap attribute
that distinguishes between staff and student. It is done in the post-auth
section of the outer tunnel virtual server (WPA2 enterprise SSID). Because we
allow NAC guest accounts (non-ldap), we have a final block that will place
those guests on a guest vlan if that ldap attribute doesn't exist.
Our wireless controllers are set to honor the vlan attribute from radius
accepts (tunnel-private-group-id) and default to a "registration" vlan if it
doesn't exist. That registration network gives a captive portal page (but
users aren't supposed to ever get there for that reason).
We even had to extend to distinguish between controller IP addresses to set
unique vlans because of our scale. We had a /21 in place for students in a
particular equipment room. At max we had three wireless controllers in that
room sharing the IP space, but even with 10 minute lease times we exhausted the
supply frequently. Now we have a /20 for student for each of those
controllers. 4,000 IPs for student would be about 26 students per AP.
Thankfully, we are not that dense yet but I didn't expect us to need this much
so soon. Users continue to suck down what we provide, we just try not to be
too far behind increasing capacity to match. On a good day we increase when we
break 75% of the capacity.
I hope the snippet helps (I changed IPs and pvids to protect the innocent).
Adam
post-auth {
if ((Huntgroup-Name == "wireless") && (User-Name ==
Calling-Station-Id)) {
# User-Name == Calling-Station-Id => mac filtering / open
wireless - allow controller to set vlan
noop
}
elsif ((Huntgroup-Name == "wireless") &&
("%{reply:ldapStafforStudentAttribute}" == "staff")) {
# Wireless controller, not open wireless as above, must be WPA2
802.1x call. Set vlan id via ldap attr
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
# staff go to vlan 3008 on all controllers (separate IP
addressing, but identical pvid in different rooms)
Tunnel-Private-Group-ID = "3008"
}
}
elsif ((Huntgroup-Name == "wireless") && ("%{reply:
ldapStafforStudentAttribute }" == "student")) {
# Wireless controller, not open wireless as above, must be WPA2
802.1x call. Set vlan id via ldap attr
switch "%{NAS-IP-Address}" {
case "10.10.10.13" {
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
# students on the .13 controller go to vlan 3006
Tunnel-Private-Group-ID = "3006"
}
}
case "10.10.10.17" {
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
# students on the .17 controller go to vlan 3007
Tunnel-Private-Group-ID = "3007"
}
}
case {
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
# students on every other controller go to vlan
3009 (we used to have the same pvid everywhere until we need to grow so large)
Tunnel-Private-Group-ID = "3009"
}
}
}
}
else {
# Non-ldap guests
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
# non-ldap accounts (guests) get placed on vlan 3005 (which has
router filter and firewall implications to restrict to general web browsing)
Tunnel-Private-Group-ID = "3005"
}
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Linchuan Yang
Sent: Monday, November 05, 2012 12:00 PM
To: [email protected]
Subject: [WIRELESS-LAN] How to separate the access privilege of staff and
students
Dear All
Good morning. We want to separate the access privilege of staff and students by
using the same SSID. We are using free radius linked with Active Directory.
Could you please explain how to do it in detail? Shall we need ACS (ISE) or
other?
Thank you, and have a nice day.
Yours,
Linchuan Yang (Antony)
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
