|
Home > Archive > Radius Server > February 2007 > Authenticating EAP-TLS and PEAP on same RADIUS for different SSIDs
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Authenticating EAP-TLS and PEAP on same RADIUS for different SSIDs
|
|
| Rainer Sinsch 2007-02-12, 7:19 am |
| Hello everyone,
I'm working with Microsoft IAS Radius server and everything works fine. I
can configure a policy for EAP-TLS, PEAP or both. But I did not find a way
to configure a policy in which the SSID is taken into account (given APs
with multiple VLANs/WLANs).
Now my question is: Is it possible to destinguish the RADIUS policy by the
SSID?
What I need is the following:
1. Use EAP-TLS (and not PEAP) on a WLAN SSID=MyWLAN1
2. Use PEAP (and not EAP-TLS) on a WLAN SSID=MyWLAN2
I'm currently seeing no way to configure this, so in the past I used two
different IAS servers and configured them for each SSID on the access point
(SSID1 for EAP-TLS server and SSID2 for PEAP server). Of course this doubles
the number of required servers which is very inconvenient.
Maybe it is possible to do something with RADIUS attributes? But which one?
Are SSIDs transferred in RADIUS packets?
Any hints on this?
/rainer
| |
| rt-seb 2007-02-12, 7:19 am |
| Hello Rainer,
"Rainer Sinsch" wrote:
> Hello everyone,
>
> I'm working with Microsoft IAS Radius server and everything works fine. I
> can configure a policy for EAP-TLS, PEAP or both. But I did not find a way
> to configure a policy in which the SSID is taken into account (given APs
> with multiple VLANs/WLANs).
>
> Now my question is: Is it possible to destinguish the RADIUS policy by the
> SSID?
>
> What I need is the following:
>
> 1. Use EAP-TLS (and not PEAP) on a WLAN SSID=MyWLAN1
> 2. Use PEAP (and not EAP-TLS) on a WLAN SSID=MyWLAN2
>
> I'm currently seeing no way to configure this, so in the past I used two
> different IAS servers and configured them for each SSID on the access point
> (SSID1 for EAP-TLS server and SSID2 for PEAP server). Of course this doubles
> the number of required servers which is very inconvenient.
>
> Maybe it is possible to do something with RADIUS attributes? But which one?
> Are SSIDs transferred in RADIUS packets?
>
SSIDs are usually not contained in RADIUS packets.
> Any hints on this?
>
What you could do is to map each SSID to a different VLAN. For each
VLAN you will need different IP segments.
At the IAS RAS policy you can specifiy conditions based on the IP
addresses (ranges) of the RADIUS clients (APs).
For example. you could have two conditions:
1. all RADIUS clients from range X
2. all RADIUS clients from range Y
Of course, this require the APs to use different RADIUS source IP
addresses depending on the SSID the clients tries to connect.
Sebastian
| |
| Rainer Sinsch 2007-02-12, 7:19 am |
| Hi Sebastian,
> What you could do is to map each SSID to a different VLAN. For each
> VLAN you will need different IP segments.
This is the case. Every SSID broadcasts a different VLAN with a different
subnet.
> At the IAS RAS policy you can specifiy conditions based on the IP
> addresses (ranges) of the RADIUS clients (APs).
I don't think this will work, because the radius-client is the AP
management-interface, which belongs to the management subnet. Perhaps I
missed to explain this in detail, but my scenario is based on access points
with multiple WLAN/SSIDs and I need different authentication types on
different SSIDs.
> For example. you could have two conditions:
> 1. all RADIUS clients from range X
> 2. all RADIUS clients from range Y
As mentioned above: The RADIUS client is the same, no matter if it is SSID#1
or SSID#2.
> Of course, this require the APs to use different RADIUS source IP
> addresses depending on the SSID the clients tries to connect.
I am afraid that this is not possible. The RADIUS client is always the AP
management interface, or - in controller environments - the wireless lan
controller.
/Rainer
|
|
|
|
|