Technical data
158 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
Radius Authentication
Configure Radius Accounting for Captive Portal
See Configure Radius Accounting for Captive Portal.
Radius-Based ESS Profile Restriction
This feature gives a controller the capability to restrict wireless clients attempting
connection through Radius based ESS profiles; the clients can connect only to certain
SSIDs as returned in a Radius Accept message.
With this system, there is one Radius server and multiple ESS profiles with 802.1X
security using this Radius Server. In absence of the RSSID feature, all wireless clients
provisioned in the Radius Server have access to all ESS profiles and hence all associ-
ated VLANS. With SSID restriction, the Radius server can be further configured for
each of these wireless clients specifying the SSIDs they can connect with.
You can use a Radius server to restrict SSID connection using VSA in the Radius Accept
message. There are three possible conditions for an SSID:
EAP Message Returned by Radius server
Tunnel-Medium-Type
Indicates the transport medium like ipv4, ipv6. In CP, valid only
if VPN is set. Also sent in Access-Request in case of CP.
Tunnel-Type
The type of tunnel, in our case should be VLAN i.e. 13. If
anything else is received, treat as ACCESS-REJECT. In CP, valid
only if VPN is set. Also sent in Access-Request in case of CP.
Tunnel-Private-Group
Receives the Vlan ID from this attribute (Does not apply for
Captive Portal)
Framed-Compression
Indicates the compression protocol that is being used. In our
case, NONE
Idle-Timeout Use this to calculate client idle time and knock the client off.
Table 10: Radius Authentication Attributes
Radius Attribute Description
Radius Server is sending: Results in:
No list of acceptable SSIDs Connection is accepted
A list of acceptable SSIDs that
includes the ID
Connection is accepted