[RADIATOR] dynamic vlan assignment based on machine name

Pearson, Mark mark.pearson at ntu.ac.uk
Mon Nov 14 10:11:58 CST 2011 

Thanks Heikki, I will use this to start my testing.

regards
Mark Pearson
Infrastructure Development Team Leader

Information Systems
Nottingham Trent University
Shakespeare St
Nottingham
NG1 4FQ

0115 848 8287 (work)
07900 138476 (mob)


-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au]
Sent: 14 November 2011 13:18
To: Pearson, Mark
Cc: 'radiator at open.com.au'
Subject: Re: [RADIATOR] dynamic vlan assignment based on machine name

On 11/11/2011 01:39 PM, Pearson, Mark wrote:

> I'm guessing this has been done several times so rather than invent
> the wheel thought I would ask here.

Well, I guess there's always some reinventing involved with these things, but please see below for some ideas :)

> On our wireless network we want to create an AD group of "known devices"
> using machine name. When a user authenticates to the wireless, firstly
> needs to check if they are a valid user in AD, if so, then check  if
> the machine name is the in "known devices", if so,  then they are
> assigned vlan A. If they are a valid user but not in the group they
> are assigned vlan B.

Here' s simple config that shows how to use two AuthBys to first authenticate the user and then add attributes based on other information from the request.

<Handler>
        AuthByPolicy ContinueWhileAccept
        <AuthBy FILE>
                # Authenticate the user
                Filename        %D/users
        </AuthBy>
        <AuthBy FILE>
                # Choose VLAN based on Calling-Station-Id
                AuthenticateAttribute Calling-Station-Id
                Filename        %D/users-authattr
                AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802
        </AuthBy>
</Handler>

File users is simply:
mikeme  User-Password=fred

File users-authattr is:

987654321
        Tunnel-Private-Group-ID=1:100
987654322
        Tunnel-Private-Group-ID=1:200
DEFAULT
        Tunnel-Private-Group-ID=1:300


Test with:

% ./radpwtst -trace 4 -noacct -calling_station_id 987654321 % ./radpwtst -trace 4 -noacct -calling_station_id 987654322 % ./radpwtst -trace 4 -noacct -calling_station_id 987654323

The default username and password are mike/fred and when you vary the C-S-I attribute, different VLAN IDs are returned.

> We are using cisco WLC and Radiator 4.7. Currently we use cisco ACS
> for the user authentication and only use Radiator for eduroam with
> AuthBy LSA. Our AD is 2008. Moving forward I want to use Radiator for
> both user and device authentication and also TACACS (that can wait for
> another day though).

TACACS is widely used with Radiator, so that should not be a problem.
You can even run a separate instance for TACACAS if you want to keep it separate from other authentication. That might help with the initial setup and debug too.

> Any advice on how to do this, where to start and any sample Radiator
> configs would be appreciated.

The example above shows how to chain AuthBys, so that might be the general idea how to combine authentication and VLAN assignment. Both AuthBys do a lookup from a file, but you can use e.g. NTLM and SQL. The second lookup depends on how you can make the list of known machines available for Radiator.

Thanks!
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
DISCLAIMER: This email is intended solely for the addressee. It may contain private and confidential information. If you are not the intended addressee, please take no action based on it nor show a copy to anyone. In this case, please reply to this email to highlight the error. Opinions and information in this email that do not relate to the official business of Nottingham Trent University shall be understood as neither given nor endorsed by the University. Nottingham Trent University has taken steps to ensure that this email and any attachments are virus-free, but we do advise that the recipient should check that the email and its attachments are actually virus free. This is in keeping with good computing practice.

More information about the radiator mailing list