Freeradius Example For Wireless Client Configuration; Configuring User-Based Authentication And Dynamic Vlans; Table 91: Radius Attributes For Wireless Client Mac Authentication - D-Link DWS-3000 Series User Manual

Software User Manual
02/15/2011
Table 91 indicates the attributes that you configure in the RADIUS server entry.

Table 91: RADIUS Attributes for Wireless Client MAC Authentication

RADIUS Server Attribute
User-Name (1)
User-Password (2)
F RADIUS E
REE XAMPLE FOR
You can use an external RADIUS server, such as a server running FreeRADIUS, to authenticate users who attempt to
connect to an access point. The authentication is based on the username and password, and not the wireless client used
for access. The RADIUS server can also assign the user to a VLAN after he or she is authenticated by the server.
In addition to user-based authentication, you can configure MAC-based authentication to allow or deny wireless clients
access to the AP based on the MAC address of the client.

Configuring User-Based Authentication and Dynamic VLANs

You can configure an entry in the external RADIUS server to pass a users credentials to the access point and to dynamically
assign the user to a VLAN.
Dynamic VLANs allow you to assign a user to a VLAN, and switches dynamically use this information to configure the port
on the switch automatically. Selection of the VLAN is usually based on the identity of the user. The RADIUS server informs
the access point of the selected VLAN as part of the authentication. This setup enables users of Dynamic VLANs to move
from one location to another without intervention and without having to make any changes to the switches.
If you use an external RADIUS server to manage VLANs, you configure the server to use Tunnel attributes in Access-Accept
messages in order to inform the access point about the selected VLAN. These attributes are defined in RFC 2868 and their
use for dynamic VLAN is specified in RFC 3580.
The VLAN attributes defined in RFC3580 are as follows:
• Tunnel-Type = VLAN (13)
• Tunnel-Medium-Type = 802
• Tunnel-Private-Group-ID = VLANID
To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the etc/raddb/users file, which
contains the user account information, and add for the new user.
The following example shows the entry for a user in the users file. The username is "johndoe," the password is "test1234."
The user is assigned to VLAN 77.
johndoe Auth-Type: = EAP, User-Password == "test1234"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-ID = "77",
Tunnel-Type and Tunnel-Medium-Type use the same values for all stations. Tunnel-Private-Group-ID is the selected VLAN
ID and can be different for each user.
Document 34CS3000-SWUM104-D10
Description
Ethernet Address of the client station.
A fixed password used to lookup a
client MAC entry.
W C
IRELESS
D-Link Unified Access System
Range
Valid Ethernet MAC
Address.
NOPASSWORD
C
LIENT ONFIGURATION
Usage
Required
Required
Page 211