[RADIATOR] dynamic vlan assignment based on machine name

Heikki Vatiainen hvn at open.com.au
Mon Nov 14 07:18:14 CST 2011 

On 11/11/2011 01:39 PM, Pearson, Mark wrote:

> I’m guessing this has been done several times so rather than invent the
> wheel thought I would ask here.

Well, I guess there's always some reinventing involved with these
things, but please see below for some ideas :)

> On our wireless network we want to create an AD group of “known devices”
> using machine name. When a user authenticates to the wireless, firstly
> needs to check if they are a valid user in AD, if so, then check  if the
> machine name is the in “known devices”, if so,  then they are assigned
> vlan A. If they are a valid user but not in the group they are assigned
> vlan B.

Here' s simple config that shows how to use two AuthBys to first
authenticate the user and then add attributes based on other information
from the request.

<Handler>
        AuthByPolicy ContinueWhileAccept
        <AuthBy FILE>
                # Authenticate the user
                Filename        %D/users
        </AuthBy>
        <AuthBy FILE>
                # Choose VLAN based on Calling-Station-Id
                AuthenticateAttribute Calling-Station-Id
                Filename        %D/users-authattr
                AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802
        </AuthBy>
</Handler>

File users is simply:
mikeme	User-Password=fred

File users-authattr is:

987654321
	Tunnel-Private-Group-ID=1:100
987654322
	Tunnel-Private-Group-ID=1:200
DEFAULT
	Tunnel-Private-Group-ID=1:300


Test with:

% ./radpwtst -trace 4 -noacct -calling_station_id 987654321
% ./radpwtst -trace 4 -noacct -calling_station_id 987654322
% ./radpwtst -trace 4 -noacct -calling_station_id 987654323

The default username and password are mike/fred and when you vary the
C-S-I attribute, different VLAN IDs are returned.

> We are using cisco WLC and Radiator 4.7. Currently we use cisco ACS for
> the user authentication and only use Radiator for eduroam with AuthBy
> LSA. Our AD is 2008. Moving forward I want to use Radiator for both user
> and device authentication and also TACACS (that can wait for another day
> though).

TACACS is widely used with Radiator, so that should not be a problem.
You can even run a separate instance for TACACAS if you want to keep it
separate from other authentication. That might help with the initial
setup and debug too.

> Any advice on how to do this, where to start and any sample Radiator
> configs would be appreciated.

The example above shows how to chain AuthBys, so that might be the
general idea how to combine authentication and VLAN assignment. Both
AuthBys do a lookup from a file, but you can use e.g. NTLM and SQL. The
second lookup depends on how you can make the list of known machines
available for Radiator.

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list