RADIUS Authenticated SSID

TIP OpenWiFi 2.0

When authenticating clients with back office RADIUS systems, the configuration of OpenWiFi permits this on a per SSID basis.

    "interfaces": [
        {
            "name": "WAN",
            "role": "upstream",
            "ethernet": [
                {
                    "select-ports": [
                        "WAN*"
                    ]
                }
            ],
            "ipv4": {
                "addressing": "dynamic"
            },
            "ssids": [
                {
                    "name": "OpenWifi",
                    "wifi-bands": [
                        "5G"
                    ],
                    "bss-mode": "ap",
                    "encryption": {
                        "proto": "wpa2",
                        "ieee80211w": "optional"
                    },
                    "radius": {
                        "authentication": {
                            "host": "192.168.178.192",
                            "port": 1812,
                            "secret": "secret"
                        },
                        "accounting": {
                            "host": "192.168.178.192",
                            "port": 1813,
                            "secret": "secret"
                        }
                    }
                }
            ]
        },

            "ssids": [
                {
                    "name": "OpenWifi",
                    "wifi-bands": [
                        "2G"
                    ],
                    "bss-mode": "ap",
                    "encryption": {
                        "proto": "wpa2",
                        "ieee80211w": "optional"
                    },
                    "certificates": {
                        "ca-certificate": "/etc/ucentral/cas.pem",
                        "certificate": "/etc/ucentral/cert.pem",
                        "private-key": "/etc/ucentral/key.pem"
                    },
                    "radius": {
                        "local": {
                            "server-identity": "OpenWiFi-Local-EAP",
                            "users": [
                                {
                                    "user-name": "open",
                                    "password": "wifi"
                                }
                            ]
                        }
                    }
                }
            ]
        },

Many parameters are possible with RADIUS authentications given the many methods in use worldwide. Many of the EAP methods have configuration options described below.

RADIUS Attribute

Description

nas-identifier

Unique NAS Id used with RADIUS server

chargeable-user-id

Chargeable User Entity per RFC4372

local

Local RADIUS within AP device

server-identity
- users - Local EAP users based on username, PreShared Key and VLAN id

authentication

RADIUS server

host IP address
port ( example 1812)
secret ( Shared secret with RADIUS server )

Additional methods within Access-Request

request-attribute ( id of RADIUS server )
- id ( numeric value of RADIUS server )
- value
  Any sub-value defined as integer RADIUS attribute value

accounting

RADIUS server

host IP address
port ( example 1813)
secret ( Shared secret with RADIUS server )

Additional methods within Access-Request sent in Accounting

request-attribute ( id of RADIUS server )
- id ( numeric value of RADIUS server )
- value
  Any sub-value defined as integer RADIUS attribute value

accounting

interval ( Interim accounting interval defined in seconds )

PreviousRoaming RRM and SON NextDynamic VLANs with RADIUS

Last updated 2 years ago