To be clear, I know that dynamic transition between
registration/isolation/normal VLANs works. What I want is to change the
"normal" VLAN dynamically based on the currently 802.1X credentials. Ideally,
this code would only need to run when ($current_subject ne $previous_subject);
otherwise, it would have to run every single time, which is what my non-PF
FreeRADIUS server does now.
The logic of the post_auth in my current hand-coded FreeRADIUS rlm looks like:
# This first part could certainly be handled by stock PF code
If the username or MAC address is flagged as a violator {
Return isolation VLAN
}
# Maybe this could be done with categories or a custom column in the node table,
# or I could just copy my existing code to pf::vlan::custom
If the MAC address (Calling-Station-ID) exists in our College inventory
database {
# Sysadmins and others get a special VLAN
If username is on a special list {
Return special VLAN deep within the firewall
} Else If LDAP role of the user is "staff"
Return work VLAN
{
} Else If they are authenticated to a local realm {
Return default VLAN for students, etc
# Otherwise, we are an eduroam-authenticated visitor from another insititution
} Else {
Return guest VLAN that can access Internet but not certain local resources
}
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
