(RADIATOR) roles-based dynamic address assignment

[Wyman Miles]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I know this is possible, but I'm hoping to find the most efficient way:

We're embarking on a VPN project that'll use our existing Radiator instance 
as glue to our in-house AuthN/AuthZ infrastructure (Kerberos/LDAP/MySQL). 
Right now, things are working nicely for our 802.1x project, so I know the 
AAA issues are straightforward.

What we'd like to do is assign addresses from different networks based on 
the assumed role of the incoming user.

That is, if I authenticate as "wm63 at cornell.edu" I'll get an address from 
the default dynamic pool.  If I authenticate as "wm63 at security.cornell.edu" 
I'll get an address from a smaller, different pool.  I can make the KRB & 
SQL calls to validate my identity and role just fine.

What I'd like to do is dynamically retrieve a subnet selection option 
(MySQL table on a different machine) based on intended role then issue an 
appropriately crafted DHCP request to receive an address on the correct 
network.

Reasonable?  Anyone doing something similar?  Any pointers to a most 
efficient solution?

Thanks!

Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBQ33tRcRE6QfTb3V0EQKalQCeKziCNKEuh2c94Rc2lrZtihcrJo8An02n
CyFt17XhaZEyYzg+8S+IK+yQ
=NDC5
-----END PGP SIGNATURE-----

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.