One client, multiple NAS-Port-Types
Arran Cudbard-Bell
a.cudbardb at gmail.com
Wed Jun 1 20:25:46 CEST 2011
On Jun 1, 2011, at 10:53 AM, Alexander Clouter wrote:
> DaveA <daldwinc at uwaterloo.ca> wrote:
>>
>> I am looking for some guidance on configuring clients that will send
>> requests with different NAS-Port-Type???s.
>>
>> Devices: HP Procurve, Cisco, Aruba wireless controllers
>> Possible NAS-Port-Types: Ethernet, Virtual, Wireless, Async
>>
>> Ex., for an HP procurve switch, the possibilities will be:
>> 1. CLI access (admin) ??? NAS-Port-Type = Virtual
>> 2. 802.1X (users) ??? Nas-Port-Type = Ethernet
>>
>> In this case, I would like to send CLI and 802.1x requests to different
>> virtual servers, because I accomplish #1 painlessly with ldap, and #2 gets
>> more complicated with ads and eduroam in the mix.
>>
> The switch (NAS) will support sending those different requests to
> different RADIUS servers.
Not necessarily. I know with ProCurve gear RADIUS groups were only added in K14, with some of the older platforms like the 2610's and 2600 all requests go to the same server.
You can do an internal proxy, but last time I checked multiple chained internal proxies were broken (I tried something very similar a few years ago).
So
external-server (with listen block)
> assignment-logic
> proxy-to "eap-radius"
> > eap-radius
> > proxy-to "eap-radius-inner" (breaks here)
Alan DeKok may have fixed it in the interim period.
It's a particularly nice setup as it lets you drop in additional servers to support new devices really easily, and then if one type of NAS is smart enough to direct different types of requests (cli, 802.1X) to different servers, you can always use listen blocks in the different virtual servers, so that they can deal with requests sent to a particular IP alias or port, as well as internal requests.
Policies can be defined in policy.conf to share code between servers etc...
IMHO this is the best way to organise a server that serves many different types of NAS... if only it worked :)
-Arran
Arran Cudbard-Bell
RM-RF Limited - Security consultation and contracting
VoIP: +1 916-436-1352 Cell: +44 7854041841
More information about the Freeradius-Users
mailing list