Wireless Access

I've got 2 IAP-105USs.  They have two SSIDs: "staff" and "residents".  Residents get a lower AP bandwidth and percentage, but are in the same address space.  I've got freeRadius running fine, but I don't want members of the "residents" group connecting to the "staff" SSID, (and getting full BW, etc.)  How hard could that be??  

 I was hoping to just do something like:

jap      Cleartext-password:="xyz", NAS-Identifier=='residents'

in my /etc/raddb/users file, but it's clear that doesn't work.  I have multiple radius profiles on the APs, that have the different NAS-Identifiers, and tied the SSIDs to the different radius profiles, which indeed comes across.

Any help you could give would be very appreciated.

-Joseph

We could do the configuration of Aruba VSA and use "Aruba-ESSID" so that users connecting to ssid "staff" could only conect to staff and will not be able to access "Resident" ssid. Similarly user connecting to "Resident" could connect to "resident" and will be able to access "staff" SSID. This could be achieved by configuration on radius server with two groups ("resident and staff") built in which carries the attribute back to IAP. Here the down side is you will not be completely able to connect one SSID over another at any given point of time. Let me know if this helps.

It is not possible restricting only the bandwidth on the same address space as user will always be able to switch to another ssid to get better bandwidth and bandwidth configruation is just ssid profile specfic.

Thanks!

---

@sriram.subramanian wrote:

We could do the configuration of Aruba VSA and use "Aruba-ESSID" so that users connecting to ssid "staff" could only conect to staff and will not be able to access "Resident" ssid. Similarly user connecting to "Resident" could connect to "resident" and will be able to access "staff" SSID. This could be achieved by configuration on radius server with two groups ("resident and staff") built in which carries the attribute back to IAP. Here the down side is you will not be completely able to connect one SSID over another at any given point of time. Let me know if this helps.

 

It is not possible restricting only the bandwidth on the same address space as user will always be able to switch to another ssid to get better bandwidth and bandwidth configruation is just ssid profile specfic.

 

Thanks!

---

I'm able to use a rule under /etc/raddb/sites-enabled/default to run a script that determines if the person can login to the correct SSID, but that's really dirty.  I think it's a very reasonable thing to have multiple SSIDs with differing wireless characteristics, and then be able to determine which Enterprise login is allowed to each.  Surely someone has though that out, right?

We could try preventing Resident users not connecting to staff ssid by simply configuring Aruba VSA attributes on FreeRaduis.
Please find the below link from support site to copy the Aruba VSA Dictionary for FreeRadius.

http://support.arubanetworks.com/TOOLSRESOURCES/tabid/76/DMXModule/514/EntryId/115/Default.aspx

Find attached file as well.

once we copy the attributes to the server, we could try configuring and defining the rule on free radius server saying any radius access request coming in to the free radius from IAP matching the Aruba VSA essid "Resident" along with the user belongs to Resident group allow the users to authenticate and otherwise just drop them.

Hope this helps.

Thanks!

Attachment(s)

dictionary_freeradius.txt   1 KB 1 version