(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment
Virgil
virgil at webcentral.com.au
Tue Sep 13 19:26:02 CDT 2005
On 9/9/05 9:13 AM, "Virgil" <virgil at webcentral.com.au> wrote:
Hi all,
Because I'm not getting anywhere quickly, I'm going back to basics. Can I
do what I want?
> The goal is 802.1x for wireless and public wired ports using PEAP and
> MSCHAPv2. Theoretically, this involves the least amount of configuration on
> the clients, which are mainly Windows XP.
>
> Successful authentication will also provide a per-user (or Group) VLAN
> assignment, with provision for guest vlan access for non 802.1x clients, and
> failed authentication.
>
> Ideally, I'd like to use the userPrincipalName (UPN) authenticate against
> Active Directory, with a specified attribute, "pager" in this case, for the
> Tunnel-Private-Group-ID.
Will AuthBy LSA work with userPrincipcalName ?
The userPrincipcalName in the production environment would be
(virgil at webcentral.com.au), but this has no correlation to the
sAMAccountName (ab123456cd).
If AuthBy LSA does work with userPrincipcalName, how to get an LDAP value as
a Reply Attribute for a successful Auth ? Pseudo config below.
<Handler TunnelledByPEAP=1>
<AuthBy LSA>
Domain DOMAINNAME # "NT4" domain as oppopsed
# to "AD" @webcentral.com.au ???
EAPType MSCHAP-V2
</AuthBy>
<AuthBy LDAP2>
...
EAPType NoEAP
UsernameAttr userPrincipalName
AuthAttrDef pager,Tunnel-Private-Group-ID,reply
AddToReplyIfNotExist Tunnel-Type = VLAN,\
Tunnel-Medium-Type = Ether_802
...
</AuthBy>
</Handler>
#802.1x for wired switches
<Handler NAS-Port-Type=Ethernet>
<AuthBy LDAP2>
...
EAPType PEAP
UsernameAttr userPrincipalName
...
</AuthBy>
</Handler>
Regards
Virgil
--
virgil at webcentral.com.au
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list