On 29/02/12 11:11 AM, Rich Graves wrote:
> To be clear, I know that dynamic transition between
> registration/isolation/normal VLANs works. What I want is to change the
> "normal" VLAN dynamically based on the currently 802.1X credentials. Ideally,
> this code would only need to run when ($current_subject ne
> $previous_subject); otherwise, it would have to run every single time, which
> is what my non-PF FreeRADIUS server does now.
>
> The logic of the post_auth in my current hand-coded FreeRADIUS rlm looks like:
>
> # This first part could certainly be handled by stock PF code
> If the username or MAC address is flagged as a violator {
> Return isolation VLAN
> }
> # Maybe this could be done with categories or a custom column in the node
> table,
> # or I could just copy my existing code to pf::vlan::custom
> If the MAC address (Calling-Station-ID) exists in our College inventory
> database {
Querying external databases is suboptimal. A db handle will need to be
created and freed on each radius request (otherwise you can't stay in
the ::custom scope). Avoid it if you can by importing the data into
PacketFence's database.
> # Sysadmins and others get a special VLAN
> If username is on a special list {
> Return special VLAN deep within the firewall
Special list == attribute in the database correct?
> } Else If LDAP role of the user is "staff"
> Return work VLAN
with RADIUS we can do proper LDAP and inject an attribute meant for
pf::vlan::custom. We did PoC this for a customer that finally decided to
go with the easier category technique.
> {
> } Else If they are authenticated to a local realm {
> Return default VLAN for students, etc
> # Otherwise, we are an eduroam-authenticated visitor from another insititution
> } Else {
> Return guest VLAN that can access Internet but not certain local resources
> }
Also possible.
Right now the only thing that makes it harder than it should be is that
we pass subsets of the RADIUS query inside the core instead of the whole
thing so you'll need to change both pf::radius::custom and
pf::vlan::custom...
I just discussed with the guys here and the next time I touch this core
piece, I'll get rid of the manually selected RADIUS Attributes and pass
around an object with the whole request instead.
Cheers!
--
Olivier Bilodeau
[email protected] :: +1.514.447.4918 *115 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
