As of LCOS version 9.10, you have the option to communicate the user's source VLAN to the Public Spot via an external gateway, and to forward the VLAN-ID dependent authentication to an external RADIUS server.
- SOURCE_VLAN (optional, only in conjunction with authentication by RADIUS server)
- The VLAN ID of the network from which a Public Spot user attempts to login (source VLAN). The Public Spot forwards the source VLAN in its access request to the internal or external RADIUS server. The Public Spot uses the RADIUS attribute 81 (tunnel-private-group-ID) together with the RADIUS attributes 64 (tunnel-type) and 65 (tunnel-medium-type). The RADIUS server uses the source VLAN to decide whether to accept or decline the access request from the Public Spot.If the RADIUS server accepts the request, it returns an access-accept with the RADIUS attributes mentioned above to the Public Spot. The Public Spot then saves the source VLAN for the client and its station list and allows the user to access the Public Spot network.
-
Tip: Use the source VLAN in conjunction with the setup parameter 2.24.47. This prevents Public Spot users in VLAN-separated Public Spot networks/SSIDs from authenticating once at the RADIUS server and then accessing all of the managed Public Spot networks/SSIDs.
-
Note: The SOURCE_VLAN should not be confused with the VLAN_ID. The VLAN_ID is not sent to the RADIUS server. However, the Public Spot uses it to assign a VLAN ID provided by the gateway to a successfully authenticated user.
For internal checking, the Public Spot stores the source VLAN to its station table as soon as the external RADIUS server has accepted the authentication request. If a user then switches to a different Public Spot network/SSID with a VLAN-ID which is different to that stored, then the Public Spot sets the user to "unauthenticated" and displays the login page again at the next opportunity.