Configure Freeradius/pfsense multiple ssids <> users


I am using pfsense + FreeRadius package, and some Unifi AP.

I configured several ssids and vlans like this :

  • ssid “home” → vlan100 → 10.10.100.x
  • ssid “guest” → vlan110 → 10.10.110.x
  • ssid “iot” → vlan120 → 10.10.120.x
  • etc…

Radius authentication is working, but server authorize any users access to any SSID. I would like to secure like this :

  • First list of users → access only to “home” ssid.
  • Second list of users → access only to “guest” ssid.
  • Third list of devices → access only to “iot” ssid.

But I did’nt afford to configure this.
→ Could you please help to do this ?

Thanks !

In FreeRadius under users there is a field for VLAN id, perhaps if you enter a value the user might be constrained to that vlan. Though I have never tried this myself.

I tried this option, and yes it’s constrained to connect to vlan value.
Unfortunately, users can also connect and authenticate to other ssids.

This guy looks like he has done it, but I think it is by having a single SSiD. It doesn’t feel very elegant but perhaps you have to have a separate RADIUS NAS for each SSiD, i.e. different credentials or a single SSiD if you have a single NAS.

Actually this might be what you are looking for

I will take a look → Thanks !

With help of the forums, I found the solution.
I share it to help other users):

ssh → pfsense / radius machine :
sudo radsniff -X

Finding the right syntax in log information :

Called-Station-Id = "aa-bb-cc-dd-ee-ff:ssid_name"

I added this syntax to "Additional RADIUS Attributes (CHECK-ITEM)
(pfSense / FreeRADIUS, at the bottom of the user configuration page) :
Called-Station-Id =~ '.*:ssid_name'

In case you want to catch the complete value (ie : mac:ssid), you simply add :
Called-Station-Id == "aa-bb-cc-dd-ee-ff:ssid_name"

→ Now, user is connecting ONLY to one ssid.

1 Like

Thanks for posting the results, that’s handy to know.