provide DAC and NAC to one host
MichaelLeung
gbcbooksmj at gmail.com
Tue Mar 22 02:35:56 CET 2016
Hi Buxey
here is my policy for the SW 192.168.1.1
devicemanager_check {
if (Ldap-Group == "DeviceManager") {
update {
&control:User-Profile
="cn=DeviceManager,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com"
}
}
elsif (Ldap-Group == "Device_Write") {
update reply {
&control:User-Profile
="cn=Device_Write,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com"
}
updated
}
elsif (Ldap-Group == "Device_Review") {
update {
&control:User-Profile
="cn=Device_Review,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com"
}
updated
}
else {
update reply {
&Reply-Message += "%{User-Name},you are
not authorized to access , please confirm that you have the permission..."
}
reject
}
}
you can see that , when SW sent radius request , it always applied to
this Policy check and reject if the user is not the member of the
speacific group.
what i mean to proivde DAC and NAC to one host is how to make freeradius
server to applied to two different policys base on what request type it
receive.
On 03/21/2016 05:57 PM, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> what am i suppose to do if i am want to enable switch port dot1x
>> (network access control)on this swtich with the same radius server,
> read the manual/doc for your switch to ensure that you configure the 802.1X
> environment on the switch and set relevant required port configuration correctly.
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list