Implementing Dynamic Interface Group Assignment with Cisco WLC

Anirudh Malhotra 8zero2ops at gmail.com
Thu Apr 7 03:56:36 CEST 2016


Never mind i found something which answers it use the link
http://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/96103-wlc-attributes.html#s3

BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in

On 6 Apr 2016, 16:36 +0530, Clement Ogedengbe<c.ogedengbe at worc.ac.uk>, wrote:
> Hi,
> 
> Does anyone have any idea about what attribute to use to return parameter to Cisco WLC for Interface group assignment instead of Tunnel-Private-Group-Id which just returned the VLAN ID.
> 
> Best Regards
> 
> Clement
> 
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org] On Behalf Of Stefan Winter
> Sent: 06 April 2016 08:31
> To: freeradius-users at lists.freeradius.org
> Subject: Re: using SSL certs with EAP-TLS
> 
> Hi,
> 
> > > No. If your server certificate is from a CA, the client can verify
> > > that your server is genuine (if the client side is configured
> > > correctly to actually check CA and server name).
> > With using client: you mean the RADIUS explanation of client? Like the
> > Access Point? or the WLAN device, like a smartphone?
> 
> In this context, I meant the WLAN device.
> 
> > > Since there's no need to go down that route: don't. Issue client
> > > certificates from your own self-signed CA, and hand out client certs
> > > only to your own account holders. Then, no further checks are needed.
> > Ok, thanks. I will reconsider. It's not that I am too lame to generate
> > new certs and then import them to a handful devices. It's more that I
> > like it that the same client cert in iOS can be used for S/MIME and
> > for auth with WPA2 Enterprise.
> 
> Ah, well that's a reason for using a commercial CA for the client certs indeed. As others have pointed out, attributes like TLS-Client-Cert-CN can be used to compare the cert name against a list of known-good names.
> Of course you'll have to manage that list of names yourself in config; on a scale of "handful" that's not a problem I guess. But on a larger scale, it will get bothersome.
> 
> Greetings,
> 
> Stefan Winter
> 
> > 
> > > Yes. There are examples in the shipped tarball of FreeRADIUS for that
> > > I think. That does not mean that it's the best idea to go down that route.
> > I'll look into that (I think it has something to do with the by Alan
> > suggested check_cert_cn).
> > 
> > > When you write above that you can use whatever string you like then
> > > probably you didn't try this at a remote hotspot. :-)
> > Thats correct :D. In fact, last week was the first time I experienced
> > WPA2 Enterprise and only with one (my own) AP.
> > 
> > Cheers!
> > 
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list