BYOD User and dynamic vlan
Matthew Newton
matthew at newtoncomputing.co.uk
Fri May 19 16:04:38 CEST 2017
On Fri, May 19, 2017 at 09:53:10AM -0400, Luc Paulin wrote:
> I was wondering if it would be something possible to assign vlan based on
> the authentication type.
>
> I would like to enable wireless access to all user so they can login using
> the AD credentials. However corporate system would have to use a
> certificate so they can be place in another vlan in order to be able access
> corporate resource.
This is very common. You can do this with a bit of unlang (or
other methods) assuming your NAS has support. Most respond to the
standard Tunnel-Private-Group-Id attribute.
So you might do something list
if (&EAP-Type == EAP-TLS) {
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type := 6
Tunnel-Private-Group-Id := 100
}
}
else {
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type := 6
Tunnel-Private-Group-Id := 200
}
}
so if EAP-TLS is in use send back VLAN 100, otherwise send back
VLAN 200.
The attributes don't have to be set with unlang of course.
--
Matthew
More information about the Freeradius-Users
mailing list