Sorry John, You threadjacked... I was answering Tom the original posters question... As for your question, it all depends on your Wireless/NAC device and how it handles groups.
I'm using Cisco Wireless LAN controllers. The RADIUS server (IAS 2008, or as Mircosoft calls it, Network Policy Server (NPS)) has a firewall like rule set (top down processing) where clients match. When clients match a rule, the RADIUS attribute for Cisco is returned telling it what VLAN to put the client on. Cisco is using IETF attributes 64, 65, and 81. So the Wireless LAN controller has no concept of groups. It's the RADIUS Server itself. On Wed, Jun 24, 2009 at 7:18 PM, John Rodkey <[email protected]> wrote: > OK, Well, I'm not really asking about 802.1x configuration. I'm wondering > about the radius backend and the RADIUS attributes which contain, for > instance, 'faculty' for a faculty member. > When I read the RADIUS rfc, it didn't pop out to me which of the attributes > was used to transmit this information to the NAC device or Wireless > controller that is doing authentication and authorization. > > It's actually the information for authorization that I'm interested in. > Authentication via RADIUS for 802.1x is working fine. > > John > > On Wed, Jun 24, 2009 at 1:50 PM, Mike King <[email protected]> wrote: > >> Tom, Nobody has said it yet (which I'm surprised) >> You might want to look into http://www.cloudpath.net/ which is program >> you can distribute that will auto configure the 802.1x settings on client >> machines. Many universitys and colleges publish an Open SSID that lands on >> a captive portal that just displays this program. The program will then >> autoconfigure they're supplicant to authenticated to the network. >> >> >> >> On Wed, Jun 24, 2009 at 2:11 PM, John Rodkey <[email protected]> wrote: >> >>> What attribute do you use to transmit the user's group within RADIUS? >>> >>> >>> On Wed, Jun 24, 2009 at 11:08 AM, Lee H Badman <[email protected]> wrote: >>> >>>> Hi Tom, >>>> >>>> >>>> >>>> We use forwarding of RADIUS accounting data (as users authenticate to >>>> 802.1x) into our NAC system- (using Cisco LWAPP, ACS and Impulse >>>> NAC)-works pretty well for single sign-on effect. Especially with the >>>> cached >>>> credentials for the supplicant- the whole thing ends up transparent to the >>>> user. >>>> >>>> >>>> >>>> Lee H. Badman >>>> >>>> Wireless/Network Engineer >>>> >>>> Information Technology and Services >>>> >>>> Syracuse University >>>> >>>> 315 443-3003 >>>> ------------------------------ >>>> >>>> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv >>>> [mailto:[email protected]] *On Behalf Of *Tom Parenti >>>> *Sent:* Wednesday, June 24, 2009 9:25 AM >>>> >>>> *To:* [email protected] >>>> *Subject:* [WIRELESS-LAN] Student 802.1x >>>> >>>> >>>> >>>> Hello All, >>>> >>>> >>>> We are looking to start doing 802.1x authentication on our student >>>> wireless. We are an Aruba customer and we use Cisco NAC. >>>> >>>> >>>> >>>> Today we have an open SSID. The students connect to the SSID, open a web >>>> browser and are redirected to the Cisco NAC log on page. We would like to >>>> continue with the single sign on with NAC if possible. I think that would >>>> mean the students would have to cache their credentials in the supplicant >>>> to >>>> get authenticated to the new 802.1x SSID. Student computers are not part of >>>> our domain. >>>> >>>> >>>> >>>> Has anyone had any experience setting up 802.1x with NAC? >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Tom >>>> >>>> *________________________* >>>> >>>> *Tom Parenti* >>>> >>>> Network Administrator >>>> >>>> Johnson & Wales University >>>> >>>> 8 Abbott Park Place >>>> >>>> Providence, RI 02903 >>>> >>>> (401) 598-1557 >>>> >>>> >>>> >>>> >>>> ********** Participation and subscription information for this >>>> EDUCAUSE Constituent Group discussion list can be found at >>>> http://www.educause.edu/groups/. >>>> >>>> ********** Participation and subscription information for this EDUCAUSE >>>> Constituent Group discussion list can be found at >>>> http://www.educause.edu/groups/. >>>> >>>> >>> ********** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >>> >>> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
