Thanks Heikki, I will use this to start my testing. regards Mark Pearson Infrastructure Development Team Leader
Information Systems Nottingham Trent University Shakespeare St Nottingham NG1 4FQ 0115 848 8287 (work) 07900 138476 (mob) -----Original Message----- From: Heikki Vatiainen [mailto:[email protected]] Sent: 14 November 2011 13:18 To: Pearson, Mark Cc: '[email protected]' Subject: Re: [RADIATOR] dynamic vlan assignment based on machine name On 11/11/2011 01:39 PM, Pearson, Mark wrote: > I'm guessing this has been done several times so rather than invent > the wheel thought I would ask here. Well, I guess there's always some reinventing involved with these things, but please see below for some ideas :) > On our wireless network we want to create an AD group of "known devices" > using machine name. When a user authenticates to the wireless, firstly > needs to check if they are a valid user in AD, if so, then check if > the machine name is the in "known devices", if so, then they are > assigned vlan A. If they are a valid user but not in the group they > are assigned vlan B. Here' s simple config that shows how to use two AuthBys to first authenticate the user and then add attributes based on other information from the request. <Handler> AuthByPolicy ContinueWhileAccept <AuthBy FILE> # Authenticate the user Filename %D/users </AuthBy> <AuthBy FILE> # Choose VLAN based on Calling-Station-Id AuthenticateAttribute Calling-Station-Id Filename %D/users-authattr AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802 </AuthBy> </Handler> File users is simply: mikeme User-Password=fred File users-authattr is: 987654321 Tunnel-Private-Group-ID=1:100 987654322 Tunnel-Private-Group-ID=1:200 DEFAULT Tunnel-Private-Group-ID=1:300 Test with: % ./radpwtst -trace 4 -noacct -calling_station_id 987654321 % ./radpwtst -trace 4 -noacct -calling_station_id 987654322 % ./radpwtst -trace 4 -noacct -calling_station_id 987654323 The default username and password are mike/fred and when you vary the C-S-I attribute, different VLAN IDs are returned. > We are using cisco WLC and Radiator 4.7. Currently we use cisco ACS > for the user authentication and only use Radiator for eduroam with > AuthBy LSA. Our AD is 2008. Moving forward I want to use Radiator for > both user and device authentication and also TACACS (that can wait for > another day though). TACACS is widely used with Radiator, so that should not be a problem. You can even run a separate instance for TACACAS if you want to keep it separate from other authentication. That might help with the initial setup and debug too. > Any advice on how to do this, where to start and any sample Radiator > configs would be appreciated. The example above shows how to chain AuthBys, so that might be the general idea how to combine authentication and VLAN assignment. Both AuthBys do a lookup from a file, but you can use e.g. NTLM and SQL. The second lookup depends on how you can make the list of known machines available for Radiator. Thanks! Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. DISCLAIMER: This email is intended solely for the addressee. It may contain private and confidential information. If you are not the intended addressee, please take no action based on it nor show a copy to anyone. In this case, please reply to this email to highlight the error. Opinions and information in this email that do not relate to the official business of Nottingham Trent University shall be understood as neither given nor endorsed by the University. Nottingham Trent University has taken steps to ensure that this email and any attachments are virus-free, but we do advise that the recipient should check that the email and its attachments are actually virus free. This is in keeping with good computing practice. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
