Setting vlan tag based on authentication/authorization source

Tom Whitehouse tomw at cs.york.ac.uk
Thu Jun 29 13:11:00 CEST 2006 

I have a freeradius setup (currently 1.1.1) for a VPN NAS box using 
128-bit MPPE MSCHAPv2 authentication against a Samba password file 
and have recently added an EAP/PEAP setup for switches and access 
points to provide 802.1x access control.

This all works, and I now need to check multiple Samba password 
files and depending on which one contains the users credentials 
return a VLAN tag to the switch.

In users I think I need:

DEFAULT	something == "staff"
	Tunnel-Type:0 = VLAN,
	Tunnel-Medium-Type:0 = IEEE-802,
	Tunnel-Private-Group-Id:0 = 1000

DEFAULT	something == "student"
	Tunnel-Type:0 = VLAN,
	Tunnel-Medium-Type:0 = IEEE-802,
	Tunnel-Private-Group-Id:0 = 1001

where 'something' gets set depending on which password file the 
username exists in.

Note that usernames are mutually exclusive - they will only exist in 
one of the samba password files.

I created multiple instances of passwd modules:

	passwd smbpasswd_staff {
		filename = /path/to/smbpasswd_staff
		format = "*User-Name::LM-Password:NT-Password:SMB-
Account-CTRL-TEXT::"
		authtype = MS-CHAP
		hashsize = 100
		ignorenislike = no
		allowmultiplekeys = no
	}

	passwd smbpasswd_student {
		filename = /path/to/smbpasswd_student
		format = "*User-Name::LM-Password:NT-Password:SMB-
Account-CTRL-TEXT::"
		authtype = MS-CHAP
		hashsize = 100
		ignorenislike = no
		allowmultiplekeys = no
	}

and tried using realms and Autz-Type in the authorize section and 
changing User-Name to Stripped-User-Name, but this doesn't work with 
EAP. I would also prefer not to have the users specify some prefix 
or suffix to select which samba password file is check if possible.

I've had a look through the list archives and can't find any hints 
so can anyone suggest what I could try next ?

Tom
-- 
Tom Whitehouse
Department of Computer Science, University of York
Heslington, York YO10 5DD, United Kingdom
email: tomw at cs.york.ac.uk  |  Fax:   +44 1904 432767
http://www.cs.york.ac.uk   |  Voice: +44 1904 434725

More information about the Freeradius-Users mailing list