We help IT Professionals succeed at work.

Freeradius with ldap group ssid based authentication with student & staff and guest vlan

D_wathi asked

I configured freeradius with ldap authentication we are having different vlan for student,staff & guest
configured with dlink switch. and running dhcp server.  Based on the ssid the dhcp has to release the ip address to particular vlan . student user should get only student vlan,  staff users should get staff vlan  and guest users should get guest vlan.
But as of now any user of any vlan are able to connect to the any vlan. How to restrict that in freeradius. please give  the me configuration of radiusd.conf & users file

Please help in this.
Watch Question

Top Expert 2008


the solution depends on the capability of the radius client device.  many wireless access point systems will not support that kind of arrangement.

the way I would do it is to use some equipment that supports 'virtual AP' mode so that two SSIDs can be presented (one each for staff and student) and then simply bind the virtual AP to the required VLAN.

Mikrotik hardware (www.mikrotik.com) would be an excellent choice for this purpose.




We are using Dlink DWL 3200 AP. as wireless clinet will it support the radius server
Top Expert 2008
Hello, yes BUT it does not support virtual AP and it does not appear to support the radius attribute capability that you need.

I looked at the DLINK user guides and technical data, and can't find any mention of what radius attributes are supported.  Therefore, I suspect that it probably does not support anything other than plain authentication - i.e. no capacity to set vlans, or even bandwidth limits or IP addresses/ranges.

Therefore, I suspect that you will not be able to use that equipment to achieve the outcome that you seek.

I recommend mikrotik equipment as a feasible alternative.  You WILL be able to do it with something like an RB433 or RB411.  Here is an Australian distributor to compare prices: