TIP OpenWiFi 2.0
In many deployment scenarios, user authentication is centralized with RADIUS systems. In addition, users may have association to their own networks or private networks. A common approach for this is to dynamically assign VLANs to Wi-Fi subscribers as they join the OpenWiFi network.
To configure Dynamic VLANs with RADIUS, associate an SSID with RADIUS authentication, and associate the interface to "upstream" role as dynamic VLANs are most likely to be applicable across the service provider, venue, enterprise network.
OpenWiFi devices will determine a VLAN is associated to the authentication of a subscriber when the access-accept message returns the following attribute value pairs:
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = VLAN Id Number
Upon return of an access-accept from RADIUS, based on any method chosen for security, OpenWiFi will dynamically create a VLAN Id as described in Tunnel-Private-Group-Id, associated to the interface role, in this example upstream.
When deploying headless devices such as IoT services, MAC based authentication dedicated to a unique SSID may be required. TIP OpenWiFi supports MAC-Auth for any SSID when configured with RADIUS parameters set to "mac-filter" true.
Example
TIP OpenWiFi
OpenWiFi supports WISPr Attribute Value Pairs (AVP)s for setting per authenticated subscriber bandwidth in uplink and downlink.
Provided the SSID has been configured for RADIUS authentication, any access-accept retuned with WISPr Max-Up and Max-Down values, OpenWiFi will restrict per subscriber traffic to these rates.
RADIUS Subscriber WISPr Speed Definition:
TIP OpenWiFi 2.0
When authenticating clients with back office RADIUS systems, the configuration of OpenWiFi permits this on a per SSID basis.
Many parameters are possible with RADIUS authentications given the many methods in use worldwide. Many of the EAP methods have configuration options described below.
nas-identifier
Unique NAS Id used with RADIUS server
chargeable-user-id
Chargeable User Entity per RFC4372
local
Local RADIUS within AP device
server-identity
users - Local EAP users based on username, PreShared Key and VLAN id
authentication
RADIUS server
host IP address
port ( example 1812)
secret ( Shared secret with RADIUS server )
Additional methods within Access-Request
request-attribute ( id of RADIUS server )
id ( numeric value of RADIUS server )
value
Any sub-value defined as integer RADIUS attribute value
accounting
RADIUS server
host IP address
port ( example 1813)
secret ( Shared secret with RADIUS server )
Additional methods within Access-Request sent in Accounting
request-attribute ( id of RADIUS server )
id ( numeric value of RADIUS server )
value
Any sub-value defined as integer RADIUS attribute value
accounting
interval ( Interim accounting interval defined in seconds )
When venue authentication will support client mobility it is desirable to not cause re-authentication from one AP to another.
As with the Multi PSK feature that locally provides this functionality to enable a subscriber to have a subscriber based PSK when authenticated creates a private network, this functionality may also be handled via RADIUS to support large venue topologies.
The authentication protocol type is psk2-radius
. Add the RADIUS system appropriate for the network.