Hi all, This is probably a bit newbie-ish, but I thought I'd try anyway. We are trying to authenticate users based on the username/password given AND the vlan they are authenticating from. Is this possible? A quick overview of our scenario is as follows: - Wireless service offering an SSID/VLAN for students and SSID/VLAN for staff. - Users connect to an SSID and are in the vlan associated for it. They are redirected to a portal where they must authenticate using radius - to -ldap authentication. We have this working. However, the question came up..what if a student connects to the Staff SSID/VLAN. His username/password would still authenticate correctly and he'd be given access at this point. But if we could get Radius to check and LDAP field which say which vlan he has access to, and allow or deny access to the network if the user is not currently in that vlan, then I guess that would be the ideal solution. Any suggestions are welcome. Thanks Matt mda@unb.ca
Hi,
authenticate correctly and he'd be given access at this point. But if we could get Radius to check and LDAP field which say which vlan he has access to, and allow or deny access to the network if the user is not currently in that vlan, then I guess that would be the ideal solution.
thats exactly one way to do it - use the LDAP checking for group attribute. other ways depend on how your directory is configured, do you have other attributes, are the userid's obvious etc? rlm_perl can then be used, for example to query and set the VLAN attribute correctly (if the WLAN kit supports such attributes) alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Matt Ashfield