Re: assigning vlan based on NAS and LDAP field?
Jerry, I hate to be a pain but what you have implemented atm is my next task with freeradius. Would you mind linking any howtos you use, thanks. Also how do u get freeradius to find a users group then report it back to the cisco / ap so it can decide what vlan the client belongs on. Many thanks in advance. On 4/14/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Message du 13/04/07 à 11h43 De : Kostas Kalevras A : [EMAIL PROTECTED], FreeRadius users mailing list Copie à : Objet : Re: assigning vlan based on NAS and LDAP field? O/H Matt Ashfield έγραψε: HI all, We're using FR authenticating against LDAP to implement our wireless solution. Basically, we are looking at the LDAP field of record type and determining if it is a staff or a student, and assigning a vlan based on that. Pretty simple and it works. However, there are two issues with this: 1. We have a sister campus, on a different network, but who are sharing the same FR and LDAP servers for authentication. Obviously their NAS's are different than ours because we're in different physical locations and networks. With our current configuration, it looks like we have to define the exact same vlans id's and the same vlan eligibility rules (ie staff get vlan x and student get vlan y) in order for this to work. I guess I'm hoping there is a way to assign different vlans based on the NAS ip address in addition to the student/staff distinction. You can use multiple ldap module instances and set Autz-Type depending on the nas ip address (or better yet huntgroups) 2. This follows into our future wired side implementation of 802.1x. In this case, we don't want our staff/student wired users to be assigned to the same vlans as they would be if they were on wireless. Rather we'd prefer to break them up based on their NAS or something like that. Anyways, I realize this is quite an odd situation, but probably quite similar to what many EDU people are encountering. Any help/advice is greatly appreaciated. you have to find an attribute in the radius nas request that will différenciate a wifi connection and a wired 802.1x connection: for me it is NAS-Port-Type = Wireless-802.11 for wifi and NAS-Port-Type = ethernet for wired 802.1x depending on this you send a vlan or an other in the radius response. but you still can do it depending on the nas IP Thomas Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assigning vlan based on NAS and LDAP field?
O/H Matt Ashfield έγραψε: HI all, We're using FR authenticating against LDAP to implement our wireless solution. Basically, we are looking at the LDAP field of record type and determining if it is a staff or a student, and assigning a vlan based on that. Pretty simple and it works. However, there are two issues with this: 1. We have a sister campus, on a different network, but who are sharing the same FR and LDAP servers for authentication. Obviously their NAS's are different than ours because we're in different physical locations and networks. With our current configuration, it looks like we have to define the exact same vlans id's and the same vlan eligibility rules (ie staff get vlan x and student get vlan y) in order for this to work. I guess I'm hoping there is a way to assign different vlans based on the NAS ip address in addition to the student/staff distinction. You can use multiple ldap module instances and set Autz-Type depending on the nas ip address (or better yet huntgroups) 2. This follows into our future wired side implementation of 802.1x. In this case, we don't want our staff/student wired users to be assigned to the same vlans as they would be if they were on wireless. Rather we'd prefer to break them up based on their NAS or something like that. Anyways, I realize this is quite an odd situation, but probably quite similar to what many EDU people are encountering. Any help/advice is greatly appreaciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assigning vlan based on NAS and LDAP field?
Message du 13/04/07 à 11h43 De : Kostas Kalevras A : [EMAIL PROTECTED], FreeRadius users mailing list Copie à : Objet : Re: assigning vlan based on NAS and LDAP field? O/H Matt Ashfield έγραψε: HI all, We're using FR authenticating against LDAP to implement our wireless solution. Basically, we are looking at the LDAP field of record type and determining if it is a staff or a student, and assigning a vlan based on that. Pretty simple and it works. However, there are two issues with this: 1. We have a sister campus, on a different network, but who are sharing the same FR and LDAP servers for authentication. Obviously their NAS's are different than ours because we're in different physical locations and networks. With our current configuration, it looks like we have to define the exact same vlans id's and the same vlan eligibility rules (ie staff get vlan x and student get vlan y) in order for this to work. I guess I'm hoping there is a way to assign different vlans based on the NAS ip address in addition to the student/staff distinction. You can use multiple ldap module instances and set Autz-Type depending on the nas ip address (or better yet huntgroups) 2. This follows into our future wired side implementation of 802.1x. In this case, we don't want our staff/student wired users to be assigned to the same vlans as they would be if they were on wireless. Rather we'd prefer to break them up based on their NAS or something like that. Anyways, I realize this is quite an odd situation, but probably quite similar to what many EDU people are encountering. Any help/advice is greatly appreaciated. you have to find an attribute in the radius nas request that will différenciate a wifi connection and a wired 802.1x connection: for me it is NAS-Port-Type = Wireless-802.11 for wifi and NAS-Port-Type = ethernet for wired 802.1x depending on this you send a vlan or an other in the radius response. but you still can do it depending on the nas IP Thomas Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html