Configure Freeradius/pfsense multiple ssids <> users

Networking & Firewalls
1

Hello,

I am using pfsense + FreeRadius package, and some Unifi AP.

I configured several ssids and vlans like this :

  • ssid “home” → vlan100 → 10.10.100.x
  • ssid “guest” → vlan110 → 10.10.110.x
  • ssid “iot” → vlan120 → 10.10.120.x
  • etc…

Radius authentication is working, but server authorize any users access to any SSID. I would like to secure like this :

  • First list of users → access only to “home” ssid.
  • Second list of users → access only to “guest” ssid.
  • Third list of devices → access only to “iot” ssid.

But I did’nt afford to configure this.
→ Could you please help to do this ?

Thanks !

2

In FreeRadius under users there is a field for VLAN id, perhaps if you enter a value the user might be constrained to that vlan. Though I have never tried this myself.

3

I tried this option, and yes it’s constrained to connect to vlan value.
Unfortunately, users can also connect and authenticate to other ssids.

4

This guy looks like he has done it, but I think it is by having a single SSiD. It doesn’t feel very elegant but perhaps you have to have a separate RADIUS NAS for each SSiD, i.e. different credentials or a single SSiD if you have a single NAS.

5

Actually this might be what you are looking for

6

I will take a look → Thanks !

7

With help of the forums, I found the solution.
I share it to help other users):

ssh → pfsense / radius machine :
sudo radsniff -X

Finding the right syntax in log information :

...
Called-Station-Id = "aa-bb-cc-dd-ee-ff:ssid_name"
...

I added this syntax to "Additional RADIUS Attributes (CHECK-ITEM)
(pfSense / FreeRADIUS, at the bottom of the user configuration page) :
Called-Station-Id =~ '.*:ssid_name'

In case you want to catch the complete value (ie : mac:ssid), you simply add :
Called-Station-Id == "aa-bb-cc-dd-ee-ff:ssid_name"

→ Now, user is connecting ONLY to one ssid.

1 Like
8

Thanks for posting the results, that’s handy to know.