freeradius with samba domain, port-access and vlan-assignment

Christian Hohmann Christian-Hohmann at web.de
Thu Apr 12 10:07:12 CEST 2007


Dear members,
Thank you so far for your help, but I guess I have do describe my problem a second time. I try to set up a security solution for a network using freeradius. I want to port authenticate all Clients on a HP Switch and assign a vlan to each port dynamically. The WXPSP2 Hosts are members of a samba Domain, and this is the problem. I'll try to describe what is happening:
If i configure the WXPSP2 for using login Username and pwd for network authentication:
The host is booting and the switch asks EAP-Request. When I enter the username and pwd, windows opens "Can't find the domain controller" and finishes. This is logical, due to the fact that the Host is not legal and has no ipadress. There is no EAP Response from the Host to the switch to get an ipadress. So this is not working. I think there has to be a mechanism that reads in username and pwd, answers the eap request, get an ip adress and gain contact to the domain controller. after this the login on the domain could be done with the entered Login-information. Have you any hint how to implement such a mechanism, or have you ever done something like this? I can't imagine that i am the first one, having this problem.

The work arround would be to configure network-authentication with the ComputerLogin. 
In this case, the WXPSP2 Host boots, gets connection to the switch, switch sends eap-request, and the host answeres with the computer information. Now the Host has port access to the switch and could gain ip adress. Now login on samba would be possible. The bad thing is, that every legal domain computer has automaticaly access to the network. ok that would be a minor disadvantage, but I can only authenticate the client one time (the switch asks only one time for authentication). If access to the port is granted, there is no second need for the switch to ask again. But i want to assign a vlan ID dynamically, depending on the USER, not on the Computer. A vlan assignment to the switch by the samba domain controller seems to be impossible because the swich doesn't participate the communication between host and samba domain controller in the same way it does between host and radius.

Could you give me a hint how to exit this desaster?

Thanks and regards - Christian

_______________________________________________________________
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192




More information about the Freeradius-Users mailing list