Hi all, I was wondering if it would be something possible to assign vlan based on the authentication type. I would like to enable wireless access to all user so they can login using the AD credentials. However corporate system would have to use a certificate so they can be place in another vlan in order to be able access corporate resource. Any other byod/security suggestions is welcome! -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster
On Fri, May 19, 2017 at 09:53:10AM -0400, Luc Paulin wrote:
I was wondering if it would be something possible to assign vlan based on the authentication type.
I would like to enable wireless access to all user so they can login using the AD credentials. However corporate system would have to use a certificate so they can be place in another vlan in order to be able access corporate resource.
This is very common. You can do this with a bit of unlang (or other methods) assuming your NAS has support. Most respond to the standard Tunnel-Private-Group-Id attribute. So you might do something list if (&EAP-Type == EAP-TLS) { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 100 } } else { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 200 } } so if EAP-TLS is in use send back VLAN 100, otherwise send back VLAN 200. The attributes don't have to be set with unlang of course. -- Matthew
Great!! Thanx Matthew! That's exactly what I was looking for. I knew how to send back vlan information, but could't figure out how to know if eap is TLS or not. Thanx a lot! -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2017-05-19 10:04 GMT-04:00 Matthew Newton <matthew@newtoncomputing.co.uk>:
On Fri, May 19, 2017 at 09:53:10AM -0400, Luc Paulin wrote:
I was wondering if it would be something possible to assign vlan based on the authentication type.
I would like to enable wireless access to all user so they can login using the AD credentials. However corporate system would have to use a certificate so they can be place in another vlan in order to be able access corporate resource.
This is very common. You can do this with a bit of unlang (or other methods) assuming your NAS has support. Most respond to the standard Tunnel-Private-Group-Id attribute.
So you might do something list
if (&EAP-Type == EAP-TLS) { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 100 } } else { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 200 } }
so if EAP-TLS is in use send back VLAN 100, otherwise send back VLAN 200.
The attributes don't have to be set with unlang of course.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On 19 May 2017, at 14:53, Luc Paulin <paulinster@gmail.com> wrote:
Hi all, I was wondering if it would be something possible to assign vlan based on the authentication type.
I would like to enable wireless access to all user so they can login using the AD credentials. However corporate system would have to use a certificate so they can be place in another vlan in order to be able access corporate resource.
Any other byod/security suggestions is welcome!
Easy enough. Just some unlang in post-auth should do the trick. To assign the vlan for AD based logins simply assign the VLAN in the inner-tunnel post auth. e.g.: post-auth { update reply { &Tunnel-Medium-Type := "IEEE-802" &Tunnel-Type := “VLAN" &Tunnel-Private-Group-Id := “5678" &Termination-Action := "RADIUS-Request" } update { &outer.session-state: += &reply: } Then in the outer tunnel post-auth add the vlan override for cert based auth. e.g.: post-auth { if (&EAP-Type == 13) { update reply { &Tunnel-Medium-Type := "IEEE-802" &Tunnel-Type := “VLAN" &Tunnel-Private-Group-Id := “1234" &Termination-Action := "RADIUS-Request" } } else { update { &reply: += &session-state: } } Regards Scott
participants (3)
-
Luc Paulin -
Matthew Newton -
Scott Armitage