>> # Maybe this could be done with categories or a custom column in the node
>> table,
>> # or I could just copy my existing code to pf::vlan::custom
>> If the MAC address (Calling-Station-ID) exists in our College inventory
>> database {
>
> Querying external databases is suboptimal. A db handle will need to be
> created and freed on each radius request (otherwise you can't stay in
> the ::custom scope). Avoid it if you can by importing the data into
> PacketFence's database.
Sure. This information is fairly stable. Actually, I do a daily dump to a mysql
db local to each non-PF radius server today. (Question about how to get a local
db handle is below.)
>> # Sysadmins and others get a special VLAN
>> If username is on a special list {
>> Return special VLAN deep within the firewall
>
> Special list == attribute in the database correct?
Well, right now, it's a short list, and I'm sloppy, so it's a constant in the
perl code. It could become a database property.
>> } Else If LDAP role of the user is "staff"
>> Return work VLAN
>
> with RADIUS we can do proper LDAP and inject an attribute meant for
> pf::vlan::custom. We did PoC this for a customer that finally decided to
> go with the easier category technique.
In my non-PF freeradius 2.1.10 server, I use /etc/raddb/modules/ldap with
ldap.attrmap:
replyItem Aruba-User-Role eduPersonPrimaryAffiliation
But eduPersonPrimaryAffiliation hardly ever changes, so there is no real reason
to do an LDAP lookup every time. I could certainly fetch the info with
Net::LDAP upon first login, or even as a daily cron job, and cache the result
somewhere. I see that getNormalVlan sees $user_name. I hope that's the
Inner-Tunnel identity, not outer-tunnel? I'll find out shortly...
I do not actually use Aruba-User-Role at the NAS -- I simply use it as a
variable to carry information from C code at auth to perl code at post_auth.
> Right now the only thing that makes it harder than it should be is that
> we pass subsets of the RADIUS query inside the core instead of the whole
> thing so you'll need to change both pf::radius::custom and
> pf::vlan::custom...
>
> I just discussed with the guys here and the next time I touch this core
> piece, I'll get rid of the manually selected RADIUS Attributes and pass
> around an object with the whole request instead.
Good plan.
For now, let's assume that some non-PF process will stuff the needed
information into a custom table in the local pf mysql database. Does
pf::vlan::custom inherit a global handle to the local database? If not, should
I call get_db_handle() myself? The "does this MAC address represent a
College-owned managed device" question can be answered with the existing node
table, but I don't think I can count on a direct mapping of $user_name to the
people table. Especially since pf::vlan::custom only gets a full hashref for
$node_info, not $user_name.
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
