On 19 May 2017, at 14:53, Luc Paulin <paulinster@gmail.com> wrote:
Hi all, I was wondering if it would be something possible to assign vlan based on the authentication type.
I would like to enable wireless access to all user so they can login using the AD credentials. However corporate system would have to use a certificate so they can be place in another vlan in order to be able access corporate resource.
Any other byod/security suggestions is welcome!
Easy enough. Just some unlang in post-auth should do the trick. To assign the vlan for AD based logins simply assign the VLAN in the inner-tunnel post auth. e.g.: post-auth { update reply { &Tunnel-Medium-Type := "IEEE-802" &Tunnel-Type := “VLAN" &Tunnel-Private-Group-Id := “5678" &Termination-Action := "RADIUS-Request" } update { &outer.session-state: += &reply: } Then in the outer tunnel post-auth add the vlan override for cert based auth. e.g.: post-auth { if (&EAP-Type == 13) { update reply { &Tunnel-Medium-Type := "IEEE-802" &Tunnel-Type := “VLAN" &Tunnel-Private-Group-Id := “1234" &Termination-Action := "RADIUS-Request" } } else { update { &reply: += &session-state: } } Regards Scott