control authentication/authorization by SSID

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

control authentication/authorization by SSID

Munroe Sollog
I've been reviewing:
https://wiki.freeradius.org/guide/Mac-Auth#additional-modifications_mac-auth-authorisation-by-ssid

I have two SSIDs.  One of them is mac-auth and the other is .1x.  My
wireless environment presents freeradius with %{Aruba-Essid-Name} to denote
the SSID.  If I am interpreting the above documentation correctly, it
suggests that I alter what I'm storing in the mac address database to also
include the SSID so it can compare both the mac address and the SSID.
However, as we don't have multiple SSIDs that do mac auth, is it possible
to create some sort of logic in the authorize section based on SSID?
Something like:

if %{Aruba-Essid-Name} == "mac-auth ssid" { do mac auth}
elif %{Aruba-Essid-Name} == ".1x ssid" {do eap}
else {reject}

That seems like a simpler solution,especially since it doesn't require me
to mess with the database of mac addresses.  Any input would be appreciated.

--
Munroe Sollog (He/Him/His)
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: control authentication/authorization by SSID

Alan DeKok-2
On Oct 7, 2020, at 12:39 AM, Munroe Sollog <[hidden email]> wrote:
>
> I've been reviewing:
> https://wiki.freeradius.org/guide/Mac-Auth#additional-modifications_mac-auth-authorisation-by-ssid

  Some of the Wiki is a little out of date, but it's mostly correct.  We're working on that.

> I have two SSIDs.  One of them is mac-auth and the other is .1x.  My
> wireless environment presents freeradius with %{Aruba-Essid-Name} to denote
> the SSID.  If I am interpreting the above documentation correctly, it
> suggests that I alter what I'm storing in the mac address database to also
> include the SSID so it can compare both the mac address and the SSID.
> However, as we don't have multiple SSIDs that do mac auth, is it possible
> to create some sort of logic in the authorize section based on SSID?
> Something like:
>
> if %{Aruba-Essid-Name} == "mac-auth ssid" { do mac auth}
> elif %{Aruba-Essid-Name} == ".1x ssid" {do eap}
> else {reject}
>
> That seems like a simpler solution,especially since it doesn't require me
> to mess with the database of mac addresses.  Any input would be appreciated.

  You can do pretty much exactly what you said.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html