-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
On our wireless network we support EDUROAM. For internal users we set the
vlan-attribute depending their MAC-address.
For a quarantined host this vlan-attribute (Tunnel-Private-Group-ID) is i.e.
131. We know the MAC-address of a quarantined host. With a special users-file
we check for a MAC-address. The default vlan is set by the DEFAULT user (i.e.
Vlan 125).
Example op the users file:
DEFAULT
Tunnel-Type = 1:VLAN,
Tunnel-Medium-Type = 1:Ether_802,
Tunnel-Private-Group-ID = 1:125,
Login-LAT-Group = "UT"
78e400a33798
Tunnel-Type = 1:VLAN,
Tunnel-Medium-Type = 1:Ether_802,
Tunnel-Private-Group-ID = 1:131,
Login-LAT-Group = "qnet"
For the outer- and inner-auhtentication we use two different handlers.
In the inner-handler we first check in a AuthBy the identity of the user. In a
second AuthBy the Vlan-attribute is appended to the reply depending on the
users MAC-adres.
This works fine!
AddToRequest
Calling-Station-Id=%{OuterRequest:Calling-Station-Id},NAS-Identifier=%{OuterRequest:NAS-Identifier}
<AuthBy GROUP>
AuthByPolicy ContinueWhileReject
<AuthBy FILE>
Identifier TTLS-inner-msd-accounts
# authenticatie m/s/d-accounts:
Filename %D/users-wlan-ttls_v2
</AuthBy>
<AuthBy FILE>
Identifier TTLS-inner-tijdelijke-accounts_1a
# Stripoff de realm
RewriteUsername s/^([^@]+).*/$1/
# Stripoff leading whitespaces en zo
RewriteUsername s/^\s*//
# Stripoff trailing whitespaces en zo
RewriteUsername s/\s*$//
# t-accounts
Filename %D/users-wlan-tijdelijke
</AuthBy>
</AuthBy>
<AuthBy FILE>
Identifier inner_TTLS_qnet_mac_a1
AuthenticateAttribute Calling-Station-Id
Filename %D/users-wlan-qnet-mac
NoCheckPassword
NoEAP
</AuthBy>
Question:
How to set the vlan-attribute for external authenticated users?
Because the outer- and inner-authentication is handled external we can not set
the vlan attribute as we do for internal users.
I only can stripoff and add reply-items for all external users but not for a
specific user depending on his MAC-address......
<AuthBy RADSEC>
Identifier Surfnet-RADSEC
Host <host>
.
.
StripFromRequest
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Session-Timeout
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Session-Timeout
AddToReply
Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:127,
Class = Realm=%W
</AuthBy>
Is there a way to solve this? Any hint?
- --
Kind regards,
Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
r.h.h...@utwente.nl; http://www.utwente.nl/icts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFMjhsACgkQJwlRSGnYBcZudgCgjt1TcD5OVOtDdFCv+mvCeM7j
NLwAoNQdLQ23bJxKAbTus7MUTX+zWjR/
=/Xjq
-----END PGP SIGNATURE-----
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
