802.1X - ntlm, Secure LDAP and dynamic vlan
Hi, I am setting up a pilot for 802.1X with dynamic VLAN assignment based on the domain of the user attempting to connect to the switch. Users will be authenticated through different means depending on their domain ie user@domainA.com<mailto:user@domainA.com> = ntlm user@domainB.com<mailto:user@domainB.com> = Secure LDAP unrecognised domain = default guest VLAN I have got ntlm authentication and Secure LDAP authentication working independently but I would like some guidance as to how and where I configure the selection process and then then how to return the VLAN information Thanks Ray Burquest Consultant Respiro Pty Ltd m: +61 466 557 149 e: rburquest@respiro.com.au<mailto:rburquest@respiro.com.au>
On Aug 24, 2021, at 7:44 PM, Ray Burquest <rburquest@respiro.com.au> wrote:
Hi,
I am setting up a pilot for 802.1X with dynamic VLAN assignment based on the domain of the user attempting to connect to the switch. Users will be authenticated through different means depending on their domain ie
user@domainA.com = ntlm user@domainB.com = Secure LDAP unrecognised domain = default guest VLAN
I have got ntlm authentication and Secure LDAP authentication working independently but I would like some guidance as to how and where I configure the selection process and then then how to return the VLAN information
You return it in special RADIUS attributes. See the NAS documentation for which ones it needs. Typically it's: Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "VLAN-NAME" Alan DeKok.
Thanks, I couldn't locate the NAS documentation could you provide the link. Also, where do I configure the process to select the auth method based on domain? Ray -----Original Message----- From: Alan DeKok <aland@deployingradius.com> Sent: Wednesday, 25 August 2021 10:52 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: 802.1X - ntlm, Secure LDAP and dynamic vlan
On Aug 24, 2021, at 7:44 PM, Ray Burquest <rburquest@respiro.com.au> wrote:
Hi,
I am setting up a pilot for 802.1X with dynamic VLAN assignment based on the domain of the user attempting to connect to the switch. Users will be authenticated through different means depending on their domain ie
user@domainA.com = ntlm user@domainB.com = Secure LDAP unrecognised domain = default guest VLAN
I have got ntlm authentication and Secure LDAP authentication working independently but I would like some guidance as to how and where I configure the selection process and then then how to return the VLAN information
You return it in special RADIUS attributes. See the NAS documentation for which ones it needs. Typically it's: Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "VLAN-NAME" Alan DeKok.
On Aug 24, 2021, at 11:04 PM, Ray Burquest <rburquest@respiro.com.au> wrote:
I couldn't locate the NAS documentation could you provide the link.
I don't know what NAS you have. You do. When someone asks "how do I make the NAS do X", then the answer is usually "read the NAS documentation". We can help with questions about FreeRADIUS. We don't keep documentation (or even links to documentation) for the many thousands of different pieces of NAS equipment.
Also, where do I configure the process to select the auth method based on domain?
You read the documentation and examples. There is no magic button saying "configure what I want". FreeRADIUS has a large number of configuration options, all of which are extensively documented. If you want to write some if / then / else rules to do something, then you need to understand your requirements and the "unlang" syntax. Then, just write the rules. If you're not sure how the server works, run it in debug mode. Generally, authentication methods are selected by setting the Auth-Type attribute. See the examples in sites-available/default to know more. And domains are represented as strings, in the User-Name attribute. You can compare strings with regular expressions. See "man unlang". Alan DeKok.
participants (2)
-
Alan DeKok -
Ray Burquest