Implementing Dynamic Interface Group Assignment with Cisco WLC

Anirudh Malhotra 8zero2ops at gmail.com
Thu Apr 7 03:48:44 CEST 2016


Read the cisco ISE document if that can do it. Only then expect it from FR, because then only you will know which attributes to send

BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in

On 6 Apr 2016, 16:36 +0530, Clement Ogedengbe<c.ogedengbe at worc.ac.uk>, wrote:
> Hi,
> 
> Does anyone have any idea about what attribute to use to return parameter to Cisco WLC for Interface group assignment instead of Tunnel-Private-Group-Id which just returned the VLAN ID.
> 
> Best Regards
> 
> Clement
> 
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org] On Behalf Of Stefan Winter
> Sent: 06 April 2016 08:31
> To: freeradius-users at lists.freeradius.org
> Subject: Re: using SSL certs with EAP-TLS
> 
> Hi,
> 
> > > No. If your server certificate is from a CA, the client can verify
> > > that your server is genuine (if the client side is configured
> > > correctly to actually check CA and server name).
> > With using client: you mean the RADIUS explanation of client? Like the
> > Access Point? or the WLAN device, like a smartphone?
> 
> In this context, I meant the WLAN device.
> 
> > > Since there's no need to go down that route: don't. Issue client
> > > certificates from your own self-signed CA, and hand out client certs
> > > only to your own account holders. Then, no further checks are needed.
> > Ok, thanks. I will reconsider. It's not that I am too lame to generate
> > new certs and then import them to a handful devices. It's more that I
> > like it that the same client cert in iOS can be used for S/MIME and
> > for auth with WPA2 Enterprise.
> 
> Ah, well that's a reason for using a commercial CA for the client certs indeed. As others have pointed out, attributes like TLS-Client-Cert-CN can be used to compare the cert name against a list of known-good names.
> Of course you'll have to manage that list of names yourself in config; on a scale of "handful" that's not a problem I guess. But on a larger scale, it will get bothersome.
> 
> Greetings,
> 
> Stefan Winter
> 
> > 
> > > Yes. There are examples in the shipped tarball of FreeRADIUS for that
> > > I think. That does not mean that it's the best idea to go down that route.
> > I'll look into that (I think it has something to do with the by Alan
> > suggested check_cert_cn).
> > 
> > > When you write above that you can use whatever string you like then
> > > probably you didn't try this at a remote hotspot. :-)
> > Thats correct :D. In fact, last week was the first time I experienced
> > WPA2 Enterprise and only with one (my own) AP.
> > 
> > Cheers!
> > 
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list