Automatically Disassociating Users from a Wireless Network
Last Post: January 28, 2008:
-
Hello's
A brief desc. of the scenario, and what is being attempted.
The wireless System in Place is 3com but is actually Trapeze. 3com OEM from Trapeze, backend RADIUS server is MSFT Windows 2003 and Windows 2003 AD servers.
Scenario 1: Students log in, their credentials are passed to the radius server by the wireless switch. After successful authentication users are placed in a VLAN with no restrictions. Up to this point everything works fine.
Scenrario 2: Students are taking a class where the instructor requires restrictions. E.g. Access allowed only to Chemistry Server. Their credentials are passed to the radius server by the wireless switch. After successful authentication users are placed in a VLAN which restricts access to only the chemistry servers. Up to this point everything works fine.
The Challenge: Assume the student is currently in a class where no restrictions are required. The next class right after this class is a class where restrictions are required. To enforce Scenrario 2 i have to either Forcefully log the user off the network, OR find a way to Disassociate them from the wireless network, such that when they associate next, they will be placed in the restricted VLAN. I would prefer a way to disassociate the user from the network. Is this possible from a RADIUS server standpoint?
I'm trying to automate this process as much as possible and i'm thus looking for ways to disassociate the user from a RADIUS / AD perspective.
Thanks much for your time
Blue. -
Create a new SSID for the chemistry class. Users once associated to "CWNPUniversity" SSID will be forced to disassociate and then associate to the new Chemistry SSID and can thus be placed in the correct VLAN - that is if they want access to the Chemistry class network resources.
In a way this kind of goes against the grain of the normal WLAN / mobile mentality. I know of no way to allowing roaming but force VLAN/User group changes on the backend.
Hope it helps ... -
Thanks for your response.
We initially tried the method you proposed and it was not found to be a seamless experience for the users. For starters we would have to create SSID's for EACH class we wanted to put restrictions on since the restrictions are different based on class. This would create numerious SSID's and too much clutter.
I'm hopefully looking for a way to disconnect users using the RADIUS server. IF the RADIUS server can send a disconnect to the wireless switch for a particular user at a particular time then the user could be disassociated from the AP, and when he re-associates again he is placed in a different VLAN.
thanks again for your reponse.
Andrew.
- 1