BYOD User and dynamic vlan
Luc Paulin
paulinster at gmail.com
Fri May 19 16:13:13 CEST 2017
Great!! Thanx Matthew! That's exactly what I was looking for. I knew how to
send back vlan information, but could't figure out how to know if eap is
TLS or not.
Thanx a lot!
--
!!!!!
( o o )
--------------oOO----(_)----OOo--------------
Luc Paulin
email: paulinster(at)gmail.com
Skype: paulinster
2017-05-19 10:04 GMT-04:00 Matthew Newton <matthew at newtoncomputing.co.uk>:
> On Fri, May 19, 2017 at 09:53:10AM -0400, Luc Paulin wrote:
> > I was wondering if it would be something possible to assign vlan based on
> > the authentication type.
> >
> > I would like to enable wireless access to all user so they can login
> using
> > the AD credentials. However corporate system would have to use a
> > certificate so they can be place in another vlan in order to be able
> access
> > corporate resource.
>
> This is very common. You can do this with a bit of unlang (or
> other methods) assuming your NAS has support. Most respond to the
> standard Tunnel-Private-Group-Id attribute.
>
> So you might do something list
>
> if (&EAP-Type == EAP-TLS) {
> update reply {
> Tunnel-Type := 13
> Tunnel-Medium-Type := 6
> Tunnel-Private-Group-Id := 100
> }
> }
> else {
> update reply {
> Tunnel-Type := 13
> Tunnel-Medium-Type := 6
> Tunnel-Private-Group-Id := 200
> }
> }
>
> so if EAP-TLS is in use send back VLAN 100, otherwise send back
> VLAN 200.
>
> The attributes don't have to be set with unlang of course.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list