I am using pfsense + FreeRadius package, and some Unifi AP.
I configured several ssids and vlans like this :
ssid “home” → vlan100 → 10.10.100.x
ssid “guest” → vlan110 → 10.10.110.x
ssid “iot” → vlan120 → 10.10.120.x
Radius authentication is working, but server authorize any users access to any SSID. I would like to secure like this :
First list of users → access only to “home” ssid.
Second list of users → access only to “guest” ssid.
Third list of devices → access only to “iot” ssid.
But I did’nt afford to configure this.
→ Could you please help to do this ?
In FreeRadius under users there is a field for VLAN id, perhaps if you enter a value the user might be constrained to that vlan. Though I have never tried this myself.
I tried this option, and yes it’s constrained to connect to vlan value.
Unfortunately, users can also connect and authenticate to other ssids.
This guy looks like he has done it, but I think it is by having a single SSiD. It doesn’t feel very elegant but perhaps you have to have a separate RADIUS NAS for each SSiD, i.e. different credentials or a single SSiD if you have a single NAS.
I recently bought a UniFI AP AC Pro  access point to replace my old useless AP. For obvious geeky reasons I wanted to use WPA2 Enterprise instead of WPA2 Personal. In that way, I can have different accounts for accessing my wireless network, which...
Actually this might be what you are looking for
We may have had an issue with a young “midnight surfer” on the internet one night, and it has since taken me a wild ride of VLANs, schedules, traffic shaping, RADIUS servers and SSIDs. I’ll give a bit of an abbreviated journey so you can relive the...
Est. reading time: 10 minutes
I will take a look → Thanks !
With help of the forums, I found the solution.
I share it to help other users):
ssh → pfsense / radius machine :
sudo radsniff -X
Finding the right syntax in log information :
Called-Station-Id = "aa-bb-cc-dd-ee-ff:ssid_name"
I added this syntax to "
Additional RADIUS Attributes (CHECK-ITEM)
(pfSense / FreeRADIUS, at the bottom of the user configuration page) :
Called-Station-Id =~ '.*:ssid_name'
In case you want to catch the complete value (ie : mac:ssid), you simply add :
Called-Station-Id == "aa-bb-cc-dd-ee-ff:ssid_name"
→ Now, user is connecting ONLY to one ssid.
Thanks for posting the results, that’s handy to know.