CAPsMAN / help or feature request

panisk0 · March 9, 2018, 11:00pm

for many reasons, it has configurations as below

|ssid: ABC—autch EAP – user group_1
—dhcp_server—brifge_1—|
|ssid: CDE----autch PSK --user group_2

Both WLAN networks operate within one bridge with the same IP addresses I would like to be able to distinguish who connected to which SSID. Maybe as part of access list it would be possible?

/p

sindy · March 10, 2018, 11:14am

By “distinguish” you mean “enforce” or “find out”?

By “who” you mean a MAC address of the client or some other ID?

If “enforce” and “mac address” are the right answers:

using the CAPsMAN access list you may prevent a given MAC address from connecting to a given SSID or interface name (or a combination of both)
as you use EAP, I believe you should be able to control this at the Radius server as I believe that the interface name is also a part of the Radius query.

But unless you give the clients connected to different SSIDs a different treatment, which you don’t, I can see no point in such enforcement. So what is your ultimate goal?

panisk0 · March 11, 2018, 2:55pm

What’s new in 6.42rc39 (2018-Mar-07 07:01):

*) capsman - added support for “interface-list” in Access List and Datapath entries;

/p

sindy · March 11, 2018, 4:08pm

In CAPsMAN access list, this feature allows to use a single rule for several interfaces, similarly to using regexp for several SSIDs, except that instead of listing the interfaces using regexp (like “wlan1|wlan2”), you re-use the existing “interface list” structure for the same purpose (so if you rename the interfaces later on, you don’t need to change the rule). I only have a hazy idea how that could be used for CAPsMAN Datapath.

However, that does not explain what is your actual intention/need, sorry.

panisk0 · March 11, 2018, 5:03pm

I have two different authentication methods on two ssid networks. I do not know the mac addresses of these clients. As part of the same bridge, one dhcp server works. I need for customers in ssid: ABC use a different ACL than in ssid: DEF, that’s all.

sindy · March 11, 2018, 5:40pm

I must be missing something. Using CAPsMAN, as well as using the local wireless configuration, you can create one “physical” AP and several “virtual” APs on each physical wireless interface. The physical one defines the radio parameters (channel width, frequency, modulation/coding schemes) for all, the rest of the parameters (interface name, MAC address, SSID, security profile used) are individual. So for each SSID you create a separate AP and a separate interface name with an individual security profile. So you don’t need any Access List handling to configure different authentication methods for two different SSIDs.

panisk0 · March 12, 2018, 6:38pm

I have no problem in L2 only in L3. I need to create an ACL in a firewall. It can be based on a list of interfaces. I will wait for a new firmware …

/p

sindy · March 12, 2018, 7:55pm

Packets from wireless clients connected to different SSIDs will come from different interfaces. But as both these interfaces are member ports of the same bridge, you have to permit use of ip firewall on the bridge:

/interface bridge settings set use-ip-firewall=yes

. After doing that, your firewall filter rules will be able to distinguish between packets from clients of different SSIDs by in-bridge-port value (which matches the interface names).

The feature of the new sofware you’ve referred to is not related to this.

panisk0 · March 19, 2018, 5:09pm

end of the topic