On Mon, 2016-01-18 at 16:22 +0500, Arthur Fayzullin wrote: > Thank for such good explanation! that has pointed my search. > I have succeed in integration freeradius with freeipa by help of > William Brown and his blog. Thanks to Him :-) > Links to related articles in his blog: > first part: https://firstyear.id.au/entry/22 > second part: https://firstyear.id.au/entry/45 >
Sorry, my certs are based on my IPA domain. Try these links if you dont want to temporarily accept. http://firstyear.id.au/entry/22 http://firstyear.id.au/entry/45 > > everything works fine. now it would be fine to define different admin > level for different users on different network devices. > But anyway everything works!!! Thanks to all! With the setup that I have here you cannot do this. mschapv2 doesn't let you insert vlan tags to the NAS, so as a result you can't do this. The way that cisco access points and other vendors get around this, is that they generally have a wireless controller that does part of the hankshake seperately to the NAS itself. So as a result, they CAN do vlan assignment based on tags in the access-accept packet, but it's a hack. If you want to do vlan assignment without access to cisco specific hardware, you'll need to use something that isn't eap. However, most devices require customer profiles in this scenarios (Windows, ios, osx etc). TTLS for example, cannot be configured on windows out of box, and ios / osx require enterprise deployment profiles iirc. You could always setup multiple SSID's, have them each auth to a different radius service (default, inner-tunnel ... make a new set) Then you can have * wifi -> inner-tunnel * wifi-admin -> inner-tunnel-admin You can define different authentication rules then, because you can specify different requirements for group memberships at this point. Hope this helps, -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
signature.asc
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
