for many reasons, it has configurations as below
|ssid: ABC---autch EAP -- user group_1
---dhcp_server---brifge_1---|
|ssid: CDE----autch PSK --user group_2
Both WLAN networks operate within one bridge with the same IP addresses I would like to be able to distinguish who connected to which SSID. Maybe as part of access list it would be possible?
/p
Re: CAPsMAN / help or feature request
By "distinguish" you mean "enforce" or "find out"?I would like to be able to distinguish who connected to which SSID.
By "who" you mean a MAC address of the client or some other ID?
If "enforce" and "mac address" are the right answers:
- using the CAPsMAN access list you may prevent a given MAC address from connecting to a given SSID or interface name (or a combination of both)
- as you use EAP, I believe you should be able to control this at the Radius server as I believe that the interface name is also a part of the Radius query.
Re: CAPsMAN / help or feature request
What's new in 6.42rc39 (2018-Mar-07 07:01):
*) capsman - added support for "interface-list" in Access List and Datapath entries;
/p
*) capsman - added support for "interface-list" in Access List and Datapath entries;
/p
Re: CAPsMAN / help or feature request
In CAPsMAN access list, this feature allows to use a single rule for several interfaces, similarly to using regexp for several SSIDs, except that instead of listing the interfaces using regexp (like "wlan1|wlan2"), you re-use the existing "interface list" structure for the same purpose (so if you rename the interfaces later on, you don't need to change the rule). I only have a hazy idea how that could be used for CAPsMAN Datapath.What's new in 6.42rc39 (2018-Mar-07 07:01):
*) capsman - added support for "interface-list" in Access List and Datapath entries;
/p
However, that does not explain what is your actual intention/need, sorry.
Re: CAPsMAN / help or feature request
I have two different authentication methods on two ssid networks. I do not know the mac addresses of these clients. As part of the same bridge, one dhcp server works. I need for customers in ssid: ABC use a different ACL than in ssid: DEF, that's all.
Re: CAPsMAN / help or feature request
I must be missing something. Using CAPsMAN, as well as using the local wireless configuration, you can create one "physical" AP and several "virtual" APs on each physical wireless interface. The physical one defines the radio parameters (channel width, frequency, modulation/coding schemes) for all, the rest of the parameters (interface name, MAC address, SSID, security profile used) are individual. So for each SSID you create a separate AP and a separate interface name with an individual security profile. So you don't need any Access List handling to configure different authentication methods for two different SSIDs.I have two different authentication methods on two ssid networks.
Re: CAPsMAN / help or feature request
I have no problem in L2 only in L3. I need to create an ACL in a firewall. It can be based on a list of interfaces. I will wait for a new firmware ...
/p
/p
Re: CAPsMAN / help or feature request
Packets from wireless clients connected to different SSIDs will come from different interfaces. But as both these interfaces are member ports of the same bridge, you have to permit use of ip firewall on the bridge:I have no problem in L2 only in L3. I need to create an ACL in a firewall. It can be based on a list of interfaces. I will wait for a new firmware ...
/p
Code: Select all
/interface bridge settings set use-ip-firewall=yesThe feature of the new sofware you've referred to is not related to this.
Re: CAPsMAN / help or feature request
end of the topic
You do not have the required permissions to view the files attached to this post.