assigning vlan based on NAS and LDAP field?
Jacob Jarick
mem.namefix at gmail.com
Mon Apr 16 07:39:03 CEST 2007
Jerry,
I hate to be a pain but what you have implemented atm is my next task
with freeradius.
Would you mind linking any howtos you use, thanks.
Also how do u get freeradius to find a users group then report it back
to the cisco / ap so it can decide what vlan the client belongs on.
Many thanks in advance.
On 4/14/07, jerrrry at voila.fr <jerrrry at voila.fr> wrote:
>
>
>
>
>
>
>
>
> > Message du 13/04/07 à 11h43
> > De : "Kostas Kalevras"
> > A : mda at unb.ca, "FreeRadius users mailing list"
> > Copie à :
> > Objet : Re: assigning vlan based on NAS and LDAP field?
> >
> > O/H Matt Ashfield έγραψε: > HI all, > > We're using FR authenticating
> against LDAP to implement our wireless > solution. Basically, we are looking
> at the LDAP field of record type and > determining if it is a staff or a
> student, and assigning a vlan based on > that. Pretty simple and it works.
> However, there are two issues with this: > > 1. We have a sister campus, on
> a different network, but who are sharing the > same FR and LDAP servers for
> authentication. Obviously their NAS's are > different than ours because
> we're in different physical locations and > networks. With our current
> configuration, it looks like we have to define > the exact same vlans id's
> and the same vlan eligibility rules (ie staff get > vlan x and student get
> vlan y) in order for this to work. I guess I'm hoping > there is a way to
> assign different vlans based on the NAS ip address in > addition to the
> student/staff distinction. > You can use multiple ldap module instances and
> set Autz-Type depending on the nas ip address (or better yet huntgroups) >
>
>
>
> 2. This follows into our future wired side implementation of 802.1x. In
> this > case, we don't want our staff/student wired users to be assigned to
> the same > vlans as they would be if they were on wireless. Rather we'd
> prefer to break > them up based on their NAS or something like that. > >
> Anyways, I realize this is quite an odd situation, but probably quite >
> similar to what many EDU people are encountering. Any help/advice is greatly
> > appreaciated. > >
>
> you have to find an attribute in the radius nas request that will
> différenciate a wifi connection and a wired 802.1x connection:
>
> for me it is
>
> NAS-Port-Type = Wireless-802.11 for wifi
>
> and
>
> NAS-Port-Type = ethernet for wired 802.1x
>
> depending on this you send a vlan or an other in the radius response.
>
> but you still can do it depending on the nas IP
>
>
>
> Thomas
>
>
>
>
>
> Thanks > > Matt > mda at unb.ca > > > > > - > List info/subscribe/unsubscribe?
> See http://www.freeradius.org/list/users.html > - List
> info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list