(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment

Virgil virgil at webcentral.com.au
Tue Sep 13 19:26:02 CDT 2005


On 9/9/05 9:13 AM, "Virgil" <virgil at webcentral.com.au> wrote:

Hi all,

Because I'm not getting anywhere quickly, I'm going back to basics.  Can I
do what I want?

> The goal is 802.1x for wireless and public wired ports using PEAP and
> MSCHAPv2. Theoretically, this involves the least amount of configuration on
> the clients, which are mainly Windows XP.
> 
> Successful authentication will also provide a per-user (or Group) VLAN
> assignment, with provision for guest vlan access for non 802.1x clients, and
> failed authentication.
> 
> Ideally, I'd like to use the userPrincipalName (UPN) authenticate against
> Active Directory, with a specified attribute, "pager" in this case, for the
> Tunnel-Private-Group-ID.


Will AuthBy LSA work with userPrincipcalName ?

The userPrincipcalName in the production environment would be
(virgil at webcentral.com.au), but this has no correlation to the
sAMAccountName (ab123456cd).


If AuthBy LSA does work with userPrincipcalName, how to get an LDAP value as
a Reply Attribute for a successful Auth ?   Pseudo config below.


<Handler TunnelledByPEAP=1>
    <AuthBy LSA>
    Domain      DOMAINNAME # "NT4" domain as oppopsed
                           # to "AD" @webcentral.com.au ???
    EAPType     MSCHAP-V2
    </AuthBy>
    <AuthBy LDAP2>
    ...
    EAPType                 NoEAP
    UsernameAttr            userPrincipalName
    AuthAttrDef             pager,Tunnel-Private-Group-ID,reply
    AddToReplyIfNotExist    Tunnel-Type = VLAN,\
                            Tunnel-Medium-Type = Ether_802
    ...
    </AuthBy>
</Handler>


#802.1x for wired switches
<Handler NAS-Port-Type=Ethernet>
    <AuthBy LDAP2>
    ...
    EAPType         PEAP
    UsernameAttr    userPrincipalName
    ...
    </AuthBy>
</Handler>



Regards
Virgil

-- 
virgil at webcentral.com.au

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list