Deleting VLAN information while proxying
Tomasz Wolniewicz
Tomasz.Wolniewicz at uni.torun.pl
Tue Feb 7 14:28:03 CET 2006
We have the following problem arising form the eduroam project.
Our university radius server sets VLAN information based on user
attributes form the LDAP directory.
This works fine when the system is used internally. However when our
user authenticates while visiting another institution, this VLAN
information should not be sent out. In such a situation, the
authentication request arrives via the national proxy. We have managed
to configure VLAN blocking for EAP-TLS since then we can use
Client-IP-Address information. If this address corresponds to the
address of the national proxy then we do not set VLAN information at
all. This approach breaks down with EAP-TTLS. The internal proxy
mechanism rewrites the Client-IP-Address to localhost and all requests
look the same.
We could in principle base our decision on huntgroups, creating a
huntgroup for all out NASes, but his looks so clumsy and a mess to
administer.
Is there a better trick to solve this?
Tomasz
-- Tomasz Wolniewicz Tomasz.Wolniewicz at uni.torun.pl
http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne
Information&Communication Technology Centre Uniwersytet Mikolaja
Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl.
Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850
tel kom.: +48-693-032-576
More information about the Freeradius-Users
mailing list