[RADIATOR] vlan change for EAP clients with external radiusserver

Roel Hoek r.h.hoek at utwente.nl
Fri Mar 22 12:00:13 CDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On our wireless network we support EDUROAM. For internal users we set the vlan-attribute depending their MAC-address.
For a quarantined host this vlan-attribute (Tunnel-Private-Group-ID) is i.e. 131. We know the MAC-address of a quarantined host. With a special users-file we check for a MAC-address. The default vlan is set by the DEFAULT user (i.e. Vlan 125).
Example op the users file:
DEFAULT
         Tunnel-Type = 1:VLAN,
         Tunnel-Medium-Type = 1:Ether_802,
         Tunnel-Private-Group-ID = 1:125,
         Login-LAT-Group = "UT"

78e400a33798
         Tunnel-Type = 1:VLAN,
         Tunnel-Medium-Type = 1:Ether_802,
         Tunnel-Private-Group-ID = 1:131,
         Login-LAT-Group = "qnet"

For the outer- and inner-auhtentication we use two different handlers.
In the inner-handler we first check in a AuthBy the identity of the user. In a second AuthBy the Vlan-attribute is appended to the reply depending on the users MAC-adres.
This works fine!

AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id},NAS-Identifier=%{OuterRequest:NAS-Identifier}
 <AuthBy GROUP>
                AuthByPolicy ContinueWhileReject
                <AuthBy FILE>
                        Identifier TTLS-inner-msd-accounts
                        # authenticatie m/s/d-accounts:
                        Filename %D/users-wlan-ttls_v2
                </AuthBy>
                <AuthBy FILE>
                        Identifier TTLS-inner-tijdelijke-accounts_1a
                        # Stripoff de realm
                        RewriteUsername s/^([^@]+).*/$1/
                        # Stripoff leading whitespaces en zo
                        RewriteUsername s/^\s*//
                        # Stripoff trailing whitespaces en zo
                        RewriteUsername s/\s*$//

                        # t-accounts
                        Filename %D/users-wlan-tijdelijke
                </AuthBy>
        </AuthBy>
        <AuthBy FILE>
                Identifier inner_TTLS_qnet_mac_a1
                AuthenticateAttribute Calling-Station-Id
                Filename %D/users-wlan-qnet-mac
                NoCheckPassword
                NoEAP
        </AuthBy>

Question:
How to set the vlan-attribute for external authenticated users?
Because the outer- and inner-authentication is handled external we can not set the vlan attribute as we do for internal users.
I only can stripoff and add reply-items for all external users but not for a specific user depending on his MAC-address......

<AuthBy RADSEC>
                Identifier Surfnet-RADSEC
                Host <host>
		.
		.
                StripFromRequest Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Session-Timeout
                StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Session-Timeout
                AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:127, Class = Realm=%W
</AuthBy>

Is there a way to solve this? Any hint?



- -- 
Kind regards,

Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
R.H.Hoek at utwente.nl; http://www.utwente.nl/icts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFMjhsACgkQJwlRSGnYBcZudgCgjt1TcD5OVOtDdFCv+mvCeM7j
NLwAoNQdLQ23bJxKAbTus7MUTX+zWjR/
=/Xjq
-----END PGP SIGNATURE-----

More information about the radiator mailing list