Jerry, I hate to be a pain but what you have implemented atm is my next task with freeradius.
Would you mind linking any howtos you use, thanks. Also how do u get freeradius to find a users group then report it back to the cisco / ap so it can decide what vlan the client belongs on. Many thanks in advance. On 4/14/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Message du 13/04/07 à 11h43 > > De : "Kostas Kalevras" > > A : [EMAIL PROTECTED], "FreeRadius users mailing list" > > Copie à : > > Objet : Re: assigning vlan based on NAS and LDAP field? > > > > O/H Matt Ashfield έγραψε: > HI all, > > We're using FR authenticating > against LDAP to implement our wireless > solution. Basically, we are looking > at the LDAP field of record type and > determining if it is a staff or a > student, and assigning a vlan based on > that. Pretty simple and it works. > However, there are two issues with this: > > 1. We have a sister campus, on > a different network, but who are sharing the > same FR and LDAP servers for > authentication. Obviously their NAS's are > different than ours because > we're in different physical locations and > networks. With our current > configuration, it looks like we have to define > the exact same vlans id's > and the same vlan eligibility rules (ie staff get > vlan x and student get > vlan y) in order for this to work. I guess I'm hoping > there is a way to > assign different vlans based on the NAS ip address in > addition to the > student/staff distinction. > You can use multiple ldap module instances and > set Autz-Type depending on the nas ip address (or better yet huntgroups) > > > > > 2. This follows into our future wired side implementation of 802.1x. In > this > case, we don't want our staff/student wired users to be assigned to > the same > vlans as they would be if they were on wireless. Rather we'd > prefer to break > them up based on their NAS or something like that. > > > Anyways, I realize this is quite an odd situation, but probably quite > > similar to what many EDU people are encountering. Any help/advice is greatly > > appreaciated. > > > > you have to find an attribute in the radius nas request that will > différenciate a wifi connection and a wired 802.1x connection: > > for me it is > > NAS-Port-Type = Wireless-802.11 for wifi > > and > > NAS-Port-Type = ethernet for wired 802.1x > > depending on this you send a vlan or an other in the radius response. > > but you still can do it depending on the nas IP > > > > Thomas > > > > > > Thanks > > Matt > [EMAIL PROTECTED] > > > > > - > List > info/subscribe/unsubscribe? > See http://www.freeradius.org/list/users.html > - List > info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html