TIP OpenWiFi 2.0
When authenticating clients with back office RADIUS systems, the configuration of OpenWiFi permits this on a per SSID basis.
Many parameters are possible with RADIUS authentications given the many methods in use worldwide. Many of the EAP methods have configuration options described below.
| RADIUS Attribute | Description |
|---|---|
nas-identifier
Unique NAS Id used with RADIUS server
chargeable-user-id
Chargeable User Entity per RFC4372
local
Local RADIUS within AP device
server-identity
users - Local EAP users based on username, PreShared Key and VLAN id
authentication
RADIUS server
host IP address
port ( example 1812)
secret ( Shared secret with RADIUS server )
Additional methods within Access-Request
request-attribute ( id of RADIUS server )
id ( numeric value of RADIUS server )
value
Any sub-value defined as integer RADIUS attribute value
accounting
RADIUS server
host IP address
port ( example 1813)
secret ( Shared secret with RADIUS server )
Additional methods within Access-Request sent in Accounting
request-attribute ( id of RADIUS server )
id ( numeric value of RADIUS server )
value
Any sub-value defined as integer RADIUS attribute value
accounting
interval ( Interim accounting interval defined in seconds )
TIP OpenWiFi 2.0
In many deployment scenarios, user authentication is centralized with RADIUS systems. In addition, users may have association to their own networks or private networks. A common approach for this is to dynamically assign VLANs to Wi-Fi subscribers as they join the OpenWiFi network.
To configure Dynamic VLANs with RADIUS, associate an SSID with RADIUS authentication, and associate the interface to "upstream" role as dynamic VLANs are most likely to be applicable across the service provider, venue, enterprise network.
OpenWiFi devices will determine a VLAN is associated to the authentication of a subscriber when the access-accept message returns the following attribute value pairs:
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = VLAN Id Number
Upon return of an access-accept from RADIUS, based on any method chosen for security, OpenWiFi will dynamically create a VLAN Id as described in Tunnel-Private-Group-Id, associated to the interface role, in this example upstream.