> Ok, Well that might be what I'm looking for. How do you get > Radius to check for username,password and vlan/ssid?
Well, as you might expect, that depends upon what data store you plan to go against (unix passwd file, freeradius users file, LDAP, etc.) You mentioned LDAP last time so I'll give you some pointers on that. We use LDAP for authorization and ntlm_auth via PEAP/MS-CHAP-V2 for authentication of 802.11 users. We require authentication via the AP to associate as opposed to using "open" on the AP with a Web-based portal. To configure LDAP authorization, look in ldap.attrmap. Within this file, you'll see checkItem entries within. These entries define what LDAP attribute to look for and the radius attribute to which it should be mapped. In our case, we check for membership in a specific AD group, based upon the SSID to which they are connecting. So, I have a checkItem for the "memberOf" LDAP attribute and I map it to Ldap-Group. The LDAP module will create a Ldap-Group check attribute for each AD group to which the user is a member (other than their primary group). Then, I have a perl script that determines the required group and checks for membership (by looking in the %RAD_CHECK{'Ldap-group'} variable - it will be an array if the user is a member of more than 1 group). It then returns RLM_REJECT if they aren't a member of a required group. You could also use attr_rewrite, probably with a regular expression, to create a custom Group-Requirement attribute based upon the SSID/VLAN information in the request. Then, you could use the checkval module to do the testing. (I used perl because it is much more flexible and because I like perl :-).) > Can you do a quick cut/paste job of what I need to place > in my conf files? Not unless you can articulate your specific requirements. If you need more info. than the above, state more specifically what you're trying to do (what LDAP attribute and what values). Or, if you're not using LDAP, what are you using? > Also what AP's are you using that allow you to get them to send the > ssid/vlan to Radius? Cisco 1232. You can get it to send the SSID via: dot11 location ... (will send WISPr-Location-ID as a request attribute with the SSID contained within the string) or radius-server vsa send authentication (will send cisco-AVPair as a request attribute with ssid=xxxx within the string) By the way, it is generally preferred to send all messages to the mailing list. In this way, you can take advantage of everyone's experience. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html