(RADIATOR) Help understanding handlers to allow a guest vlan fallback on wireless

Wed Dec 1 14:45:45 CST 2004

Hello -

Normally you would have the correct vlan for a user stored in his/her 
user record and you would return it from the LDAP search.

If all users have the same vlan, then you can use AddToReply in the 
AuthBy LDAP2 clause, with an additional AuthBy INTERNAL clause with a 
different AddToReply for guests.

Something like this:

	AuthByPolicy ContinueUntilAccept

	<AuthBy LDAP2>
		.....
		# vlan attributes
		AddToReply .....
		.....
	</AuthBy>

	<AuthBy INTERNAL>
		DefaultResult ACCEPT
		# default guest vlan attributes
		AddToReply .....
		.....
	</AuthBy>

regards

Hugh

On 2 Dec 2004, at 05:01, doc at dcclrt.co.uk wrote:

> Hi Everyone.
>  
> I'm using Enterasys Roamabout 3000 AP to authenticate users via 
> radiator.
> Radiator is configured to LDAP to NDS which is working successfully 
> with the current configuration.
> I have many different sites that are on different VLAN's where 
> wireless users will need to authenticate.
> Failing authentication we want to have a default guest vlan assigned 
> whereby the user can then download the client needed to for 802.1x 
> authentication.
>  
> I just do not know the correct way to go about this in the 
> configuration file. I've tried and failed but I dont fully understand 
> handlers and realms and how they interact with the rest of the config 
> file. (Yes Ive RTFM many many times).
>  
> Below is the radiator config file I am using at the moment, it is by 
> no means complete.
> As it is, the config file is configured to authenticate a testbed set 
> of users but I want to add configuration for further Clients with the 
> same LDAP authentication method and also if necessary a default vlan 
> fallback mechanism.
>  
> It may well be that my AP does not support "dynamic vlan" setup. The 
> AP is connected to a Cisco 2950 with IOS Enhanced Image.
>  
> Any help would be greatly appreciated.
>  
> ---------------------
> Foreground
> LogStdout
> LogDir          /var/log/radius
> LogFile         %L/%Y-%m-log
> DbDir           /etc/radiator
> Trace           4
> AuthPort        1812
> #AcctPort       1813
>  
> <Client xxx.xxx.xxx.xxx>
>         IdenticalClients        xxx.xxx.xxx.xxx
>         Secret          1234
>         DupInterval     0
>         Identifier      isu
> </Client>
>  
> <Handler Client-Identifier=isu>
>         <AuthBy LDAP2>
>                 # Tell Radiator how to talk to the LDAP server
>                 ServerChecksPassword 1
>                 Host            xxx.xxx.xxx.xxx
>                 Port            389
>  
>                 # You will only need these if your LDAP server
>                 # requires authentication. These are the examples
>                 # in a default OpenLDAP installation
>                 # see /etc/openldap/slapd.conf
>                 # AuthDN        CN=ADMIN, O=MMU
>                 # AuthPassword  xxxxxxxxxx
>  
>                 # This the top of the search tree where users
>                 # will be found. It should match the configuration
>                 # of your server, see /etc/openldap/slapd.conf
>                 BaseDN          o=xxx
>  
>                 # This is the LDAP attribute to match the radius user 
> name
>                 UsernameAttr    cn
>  
>                 # You can enable debugging of the Net::LDAP
>                 # module with this:
>                 #Debug 255
>  
>                 EAPType TTLS
>                 EAPTLS_CAFile /etc/radiator/certificates/xxxxxxx.pem
>                 EAPTLS_CertificateFile 
> /etc/radiator/certificates/cert-srv.pem
>                 EAPTLS_CertificateType PEM        
>                  EAPTLS_PrivateKeyFile 
> /etc/radiator/certificates/xxxxxxxxx.xxx
>                 EAPTLS_PrivateKeyPassword whatever
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>  
> #               StripFromReply  Tunnel-Type,\             
>  #                               Tunnel-Medium-Type,\
> #                               Tunnel-Private-Group-ID
> #               AddToReply      Tunnel-Type = VLAN,\
> #                               Tunnel-Medium-Type = Ether_802,\
> #                               Tunnel-Private-Group = 2              
>                        
>          </AuthBy>     
>                 
>  #       PostAuthHook 
> file:"%D/hooks/vlan-ascii-to-binary-postauth"     
>                 
>  </Handler>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.