(RADIATOR) Help understanding handlers to allow a guest vlan fallback on wireless

doc@dcclrt.co.uk davidandrew at dcclrt.co.uk
Wed Dec 1 12:01:24 CST 2004 

Hi Everyone.

I'm using Enterasys Roamabout 3000 AP to authenticate users via radiator.
Radiator is configured to LDAP to NDS which is working successfully with the current configuration.
I have many different sites that are on different VLAN's where wireless users will need to authenticate.
Failing authentication we want to have a default guest vlan assigned whereby the user can then download the client needed to for 802.1x authentication.

I just do not know the correct way to go about this in the configuration file. I've tried and failed but I dont fully understand handlers and realms and how they interact with the rest of the config file. (Yes Ive RTFM many many times).

Below is the radiator config file I am using at the moment, it is by no means complete.
As it is, the config file is configured to authenticate a testbed set of users but I want to add configuration for further Clients with the same LDAP authentication method and also if necessary a default vlan fallback mechanism.

It may well be that my AP does not support "dynamic vlan" setup. The AP is connected to a Cisco 2950 with IOS Enhanced Image.

Any help would be greatly appreciated.

---------------------
Foreground
LogStdout
LogDir          /var/log/radius
LogFile         %L/%Y-%m-log
DbDir           /etc/radiator
Trace           4
AuthPort        1812
#AcctPort       1813

<Client xxx.xxx.xxx.xxx>
        IdenticalClients        xxx.xxx.xxx.xxx
        Secret          1234
        DupInterval     0
        Identifier      isu
</Client>

<Handler Client-Identifier=isu>
        <AuthBy LDAP2>
                # Tell Radiator how to talk to the LDAP server
                ServerChecksPassword 1
                Host            xxx.xxx.xxx.xxx
                Port            389

                # You will only need these if your LDAP server
                # requires authentication. These are the examples
                # in a default OpenLDAP installation
                # see /etc/openldap/slapd.conf
                # AuthDN        CN=ADMIN, O=MMU
                # AuthPassword  xxxxxxxxxx

                # This the top of the search tree where users
                # will be found. It should match the configuration
                # of your server, see /etc/openldap/slapd.conf
                BaseDN          o=xxx

                # This is the LDAP attribute to match the radius user name
                UsernameAttr    cn

                # You can enable debugging of the Net::LDAP
                # module with this:
                #Debug 255

                EAPType TTLS
                EAPTLS_CAFile /etc/radiator/certificates/xxxxxxx.pem
                EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
                EAPTLS_CertificateType PEM         
                EAPTLS_PrivateKeyFile /etc/radiator/certificates/xxxxxxxxx.xxx
                EAPTLS_PrivateKeyPassword whatever
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys

#               StripFromReply  Tunnel-Type,\              
#                               Tunnel-Medium-Type,\
#                               Tunnel-Private-Group-ID
#               AddToReply      Tunnel-Type = VLAN,\
#                               Tunnel-Medium-Type = Ether_802,\
#                               Tunnel-Private-Group = 2               
                       
        </AuthBy>      
                
#       PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"      
                
</Handler>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20041201/c0df4e88/attachment.html>

More information about the radiator mailing list