Re: assigning vlan based on NAS and LDAP field?

Fri, 13 Apr 2007 10:15:35 -0700 





> Message du 13/04/07 à 11h43
> De : "Kostas Kalevras" 
> A : [EMAIL PROTECTED], "FreeRadius users mailing list" 
> Copie à : 
> Objet : Re: assigning vlan based on NAS and LDAP field?
> 
> O/H Matt Ashfield έγραψε: > HI all, > > We're using FR authenticating against 
> LDAP to implement our wireless > solution. Basically, we are looking at the 
> LDAP field of record type and > determining if it is a staff or a student, 
> and assigning a vlan based on > that. Pretty simple and it works. However, 
> there are two issues with this: > > 1. We have a sister campus, on a 
> different network, but who are sharing the > same FR and LDAP servers for 
> authentication. Obviously their NAS's are > different than ours because we're 
> in different physical locations and > networks. With our current 
> configuration, it looks like we have to define > the exact same vlans id's 
> and the same vlan eligibility rules (ie staff get > vlan x and student get 
> vlan y) in order for this to work. I guess I'm hoping > there is a way to 
> assign different vlans based on the NAS ip address in > addition to the 
> student/staff distinction. > You can use multiple ldap module instances and 
> set Autz-Type depending on the nas ip address (or better yet huntgroups) >

 2. This follows into our future wired side implementation of 802.1x. In this > 
case, we don't want our staff/student wired users to be assigned to the same > 
vlans as they would be if they were on wireless. Rather we'd prefer to break > 
them up based on their NAS or something like that. > > Anyways, I realize this 
is quite an odd situation, but probably quite > similar to what many EDU people 
are encountering. Any help/advice is greatly > appreaciated. > > 
you have to find an attribute in the radius nas request that will différenciate 
a wifi connection and a wired 802.1x connection: 
for me it is 
NAS-Port-Type = Wireless-802.11 for  wifi 
and 
NAS-Port-Type = ethernet for wired 802.1x
depending on this you send a vlan or an other in the radius response. 
but you still can do it depending on the nas IP

Thomas


Thanks > > Matt > [EMAIL PROTECTED] > > > > > - > List 
info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to