On 11/11/2011 01:39 PM, Pearson, Mark wrote:
> I’m guessing this has been done several times so rather than invent the
> wheel thought I would ask here.
Well, I guess there's always some reinventing involved with these
things, but please see below for some ideas :)
> On our wireless network we want to create an AD group of “known devices”
> using machine name. When a user authenticates to the wireless, firstly
> needs to check if they are a valid user in AD, if so, then check if the
> machine name is the in “known devices”, if so, then they are assigned
> vlan A. If they are a valid user but not in the group they are assigned
> vlan B.
Here' s simple config that shows how to use two AuthBys to first
authenticate the user and then add attributes based on other information
from the request.
<Handler>
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
# Authenticate the user
Filename %D/users
</AuthBy>
<AuthBy FILE>
# Choose VLAN based on Calling-Station-Id
AuthenticateAttribute Calling-Station-Id
Filename %D/users-authattr
AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802
</AuthBy>
</Handler>
File users is simply:
mikeme User-Password=fred
File users-authattr is:
987654321
Tunnel-Private-Group-ID=1:100
987654322
Tunnel-Private-Group-ID=1:200
DEFAULT
Tunnel-Private-Group-ID=1:300
Test with:
% ./radpwtst -trace 4 -noacct -calling_station_id 987654321
% ./radpwtst -trace 4 -noacct -calling_station_id 987654322
% ./radpwtst -trace 4 -noacct -calling_station_id 987654323
The default username and password are mike/fred and when you vary the
C-S-I attribute, different VLAN IDs are returned.
> We are using cisco WLC and Radiator 4.7. Currently we use cisco ACS for
> the user authentication and only use Radiator for eduroam with AuthBy
> LSA. Our AD is 2008. Moving forward I want to use Radiator for both user
> and device authentication and also TACACS (that can wait for another day
> though).
TACACS is widely used with Radiator, so that should not be a problem.
You can even run a separate instance for TACACAS if you want to keep it
separate from other authentication. That might help with the initial
setup and debug too.
> Any advice on how to do this, where to start and any sample Radiator
> configs would be appreciated.
The example above shows how to chain AuthBys, so that might be the
general idea how to combine authentication and VLAN assignment. Both
AuthBys do a lookup from a file, but you can use e.g. NTLM and SQL. The
second lookup depends on how you can make the list of known machines
available for Radiator.
Thanks!
Heikki
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
