802.1x issues with different NAS' types
Alan DeKok
aland at deployingradius.com
Wed Mar 24 12:39:21 CET 2021
On Mar 24, 2021, at 7:15 AM, Marco Miglietta <marco.miglietta at unisalento.it> wrote:
> In order to solve the problem in passing VLAN related attribute during 802.1x authentication with Aruba AP, I found the post below useful.
> But this caused problems with VLAN assignment on Junipers switches during the 802.1x authentication process.
> What is a way to solve the problem? The solutions seem to be mutually exclusive.
There is not a unique "the problem" which is being solved. Instead, there is a whole grab-bag of issues.
IF you want to apply policies based on "real" name, THEN for PEAP / TTLS, that real name is only available in the inner tunnel. AND THEN you have to apply the policies in the inner tunnel, and then copy the results to the outer reply.
IF you want to apply policies based on things like MAC addresses, THEN those addresses are always available (you don't need inner-tunnel). AND THEN you can just apply policies in the "default" outer virtual server.
There is no "magic set of incantations" which will make FreeRADIUS do what you want. You have to understand what's going on, including understanding how FreeRADIUS works. And only then can you configure the server to do it.
Alan DeKok.
More information about the Freeradius-Users
mailing list