BYOD User and dynamic vlan
Scott Armitage
S.P.Armitage at lboro.ac.uk
Fri May 19 16:14:20 CEST 2017
> On 19 May 2017, at 14:53, Luc Paulin <paulinster at gmail.com> wrote:
>
> Hi all,
> I was wondering if it would be something possible to assign vlan based on
> the authentication type.
>
> I would like to enable wireless access to all user so they can login using
> the AD credentials. However corporate system would have to use a
> certificate so they can be place in another vlan in order to be able access
> corporate resource.
>
> Any other byod/security suggestions is welcome!
>
Easy enough. Just some unlang in post-auth should do the trick.
To assign the vlan for AD based logins simply assign the VLAN in the inner-tunnel post auth. e.g.:
post-auth {
update reply {
&Tunnel-Medium-Type := "IEEE-802"
&Tunnel-Type := “VLAN"
&Tunnel-Private-Group-Id := “5678"
&Termination-Action := "RADIUS-Request"
}
update {
&outer.session-state: += &reply:
}
Then in the outer tunnel post-auth add the vlan override for cert based auth. e.g.:
post-auth {
if (&EAP-Type == 13) {
update reply {
&Tunnel-Medium-Type := "IEEE-802"
&Tunnel-Type := “VLAN"
&Tunnel-Private-Group-Id := “1234"
&Termination-Action := "RADIUS-Request"
}
}
else {
update { &reply: += &session-state: }
}
Regards
Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170519/9f0500bc/attachment.sig>
More information about the Freeradius-Users
mailing list