Authenticating Wireless Simple



  • Hello, I have a two APs ubiquity that are attached to a switch managed dlink 1510, when I put the APs with normal WPA I can come in and have the Vlan I want for this User based on its through Mac RADIUS (the switch is programmed to auteticacion for mac through RADIUS) my problem is in want to put EAP, ie I wanted to perform authentication by CA and then by mac without the user had to put a username and a password, how can I do this? Or what better way to do this?

    greetings


  • LAYER 8 Global Moderator

    How are you doing wpa and then assigning vlan.. Love to do that for my iot devices that don't understand wpa enterprise.

    You using a different radius and not package version mac auth is only > version 3 right?



  • For I have put on the switch port with authenticating for mac, the AP put configuring WPA and RADIUS server that serves the VLANs to Switch put the mac and vlan I want for this mac, the main this in the AP is connected to a gestionavel switch with VLAN assignment for RADIUS


  • LAYER 8 Global Moderator

    What radius server, the pfsense package or standalone.. I thought mac auth was not available til version 3.. Does it work in the current pfsense package which is only 2.2.9, how are you setting up the unifi controller to use radius if not on wpa enterprise?

    Oh your letting your switch set the vlan?  What is the point of that since your wifi traffic would not be tagged?  I don't see how your setup is of any use.. So user A gets on and is in vlan 100, how does user 2 get vlan 200 ??  If the switch is changing the vlan of the port?

    How do you then talk to the AP since the managment interface does not allow tagging and if you port on your switch changes its vlan based upon user mac..

    I am confused..

    Here is normal setup with unifi you can have untagged ssid, you can have ssid with a vlan tag or you can have radius determine the tag of the client on a ssid.  So you could run multiple users on same ssid with digger tagged vlans.  But the management interface of the AP does not do tagging and has to be on the native untagged vlan.  So I am confused how changing the vlan on the port connected to the AP from the switch allows for multiple tagged traffic?

    If you set unifi controller to wpa psk for a ssid you can not point it to a radius server even..  You can assign a vlan, when you go to enterprise then you can add radius server ip and port and then select to have radius control the vlan assignment of this connected user.

    I just confused how your getting mac based auth with unifi and wpa psk since you can not point to the radius.  If your letting the switch do it??  Your saying your switch can tagg traffic on the port based upon the mac??  That would be useful as well for my iot stuff..  What is the exact switch?  I have a cisco sg300 I will have to dig deeper into such a setting, I did not think that was even an option.





Log in to reply