(RADIATOR) roles-based dynamic address assignment
Hugh Irvine
hugh at open.com.au
Fri Nov 18 18:52:41 CST 2005
Hello Wyman -
You can use an AuthBy DYNADDRESS clause with an AddressAllocator DHCP.
There is an example in "goodies/addressallocatordhcp.cfg".
You can retrieve the pool hint from MySQL and add it to the incoming
request from where the PoolHint can access it.
If you have any questions please contact me.
regards
Hugh
On 19 Nov 2005, at 02:03, Wyman Miles wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I know this is possible, but I'm hoping to find the most efficient
> way:
>
> We're embarking on a VPN project that'll use our existing Radiator
> instance
> as glue to our in-house AuthN/AuthZ infrastructure (Kerberos/LDAP/
> MySQL).
> Right now, things are working nicely for our 802.1x project, so I
> know the
> AAA issues are straightforward.
>
> What we'd like to do is assign addresses from different networks
> based on
> the assumed role of the incoming user.
>
> That is, if I authenticate as "wm63 at cornell.edu" I'll get an
> address from
> the default dynamic pool. If I authenticate as
> "wm63 at security.cornell.edu"
> I'll get an address from a smaller, different pool. I can make the
> KRB &
> SQL calls to validate my identity and role just fine.
>
> What I'd like to do is dynamically retrieve a subnet selection option
> (MySQL table on a different machine) based on intended role then
> issue an
> appropriately crafted DHCP request to receive an address on the
> correct
> network.
>
> Reasonable? Anyone doing something similar? Any pointers to a most
> efficient solution?
>
> Thanks!
>
> Wyman Miles
> Senior Security Engineer
> Cornell University, Ithaca, NY
> (607) 255-8421
> -----BEGIN PGP SIGNATURE-----
> Version: Mulberry PGP Plugin v3.0
> Comment: processed by Mulberry PGP Plugin
>
> iQA/AwUBQ33tRcRE6QfTb3V0EQKalQCeKziCNKEuh2c94Rc2lrZtihcrJo8An02n
> CyFt17XhaZEyYzg+8S+IK+yQ
> =NDC5
> -----END PGP SIGNATURE-----
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list