WPA2 Enterprise Radius Question



  • Dear folks,

    I have done a lot with pfsense in the past, including developing nagios scripts for monitoring all aspects (coming public soon)… But I can't find any information regarding this question.

    I'd like to setup two access points with RADIUS (IAS) as the backend, bridge the wireless interface, and be able to assign dynamic VLANs (via RADIUS standard attribute 064).

    My question is does PFSense support this? If so, has anyone tried this with pfsense?

    Thanks in advance!,
    namezero



  • Update:

    I have come to understand that hostapd does in theory support this, especially when using atheros cards.

    The correct way to use this would be to enable this configuration parameter I believe:

     # VLAN interface list for dynamic VLAN mode is read from a separate text file.
      # This list is used to map VLAN ID from the RADIUS server to a network
      # interface. Each station is bound to one interface in the same way as with
      # multiple BSSIDs or SSIDs. Each line in this text file is defining a new
      # interface and the line must include VLAN ID and interface name separated by
      # white space (space or tab).
      #vlan_file=/etc/hostapd.vlan
    

    I might be misinterpreting this parameter, but I assume if I were to create an em0_vlan5 interface via the GUI, and edit the vlan file as such:

    # VLAN ID to network interface mapping
    5      em0_vlan5
    
    # Optional wildcard entry matching all VLAN IDs. The first # in the interface
    # name will be replaced with the VLAN ID. The network interfaces are created
    # (and removed) dynamically based on the use.
    *	vlan#
    

    then hostapd should bridge a client whose RADIUS response contains attribute 064 to this interface automatically.

    Can anyone with more exptertise on pfsense/hostapd maybe chime in on this?



  • Internet –----pfsense -----LAN-Switch-----Hosts
                                            |
                                            |
                                          WLAN-AP-----WLAN-Hosts

    There is no need to change anything on pfsense instead creating the VLANs.
    the connection pfsense <--> LAN-Switch must be a trunk port which contains all VLANs (tagged interface)
    the connection LAN Switch <--> WLAN-AP must be a trunk port which contains all VLANs (tagged interface)

    Now you configure your WLAN AP to connect to RADIUS (WPA2 Enterprise) and then you can assign the VLANs in the reply attributes of RADIUS. But this only works if your WLAN AP can assign VLANs.

    No need to change anything on pfsense.

    ======
    BUT if you are just using an USB WLAN stick plugged into pfsense itself ok - then you need to change something on pfsense. I do not know that this is supported by pfsense



  • Thanks nachtfalke;

    I was referring to PFSense as an AP (i.e. hostapd). Hostapd supports RAIDUS based dynamic VLAN, but PFSense has no GUI option for that.


Log in to reply