Quantcast

BYOD User and dynamic vlan

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

BYOD User and dynamic vlan

Luc Paulin
Hi all,
I was wondering if it would be something possible to assign vlan based on
the authentication type.

I would like to enable wireless access to all user so they can login using
the AD credentials. However corporate system would have to use a
certificate so they can be place in another vlan in order to be able access
corporate resource.

Any other byod/security suggestions is welcome!



--
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BYOD User and dynamic vlan

Matthew Newton-2
On Fri, May 19, 2017 at 09:53:10AM -0400, Luc Paulin wrote:
> I was wondering if it would be something possible to assign vlan based on
> the authentication type.
>
> I would like to enable wireless access to all user so they can login using
> the AD credentials. However corporate system would have to use a
> certificate so they can be place in another vlan in order to be able access
> corporate resource.

This is very common. You can do this with a bit of unlang (or
other methods) assuming your NAS has support. Most respond to the
standard Tunnel-Private-Group-Id attribute.

So you might do something list

    if (&EAP-Type == EAP-TLS) {
      update reply {
        Tunnel-Type := 13
        Tunnel-Medium-Type := 6
        Tunnel-Private-Group-Id := 100
      }
    }
    else {
      update reply {
        Tunnel-Type := 13
        Tunnel-Medium-Type := 6
        Tunnel-Private-Group-Id := 200
      }
    }

so if EAP-TLS is in use send back VLAN 100, otherwise send back
VLAN 200.

The attributes don't have to be set with unlang of course.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BYOD User and dynamic vlan

Luc Paulin
Great!! Thanx Matthew! That's exactly what I was looking for. I knew how to
send back vlan information, but could't figure out how to know if eap is
TLS or not.

Thanx a lot!

--
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster


2017-05-19 10:04 GMT-04:00 Matthew Newton <[hidden email]>:

> On Fri, May 19, 2017 at 09:53:10AM -0400, Luc Paulin wrote:
> > I was wondering if it would be something possible to assign vlan based on
> > the authentication type.
> >
> > I would like to enable wireless access to all user so they can login
> using
> > the AD credentials. However corporate system would have to use a
> > certificate so they can be place in another vlan in order to be able
> access
> > corporate resource.
>
> This is very common. You can do this with a bit of unlang (or
> other methods) assuming your NAS has support. Most respond to the
> standard Tunnel-Private-Group-Id attribute.
>
> So you might do something list
>
>     if (&EAP-Type == EAP-TLS) {
>       update reply {
>         Tunnel-Type := 13
>         Tunnel-Medium-Type := 6
>         Tunnel-Private-Group-Id := 100
>       }
>     }
>     else {
>       update reply {
>         Tunnel-Type := 13
>         Tunnel-Medium-Type := 6
>         Tunnel-Private-Group-Id := 200
>       }
>     }
>
> so if EAP-TLS is in use send back VLAN 100, otherwise send back
> VLAN 200.
>
> The attributes don't have to be set with unlang of course.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BYOD User and dynamic vlan

Scott Armitage
In reply to this post by Luc Paulin

> On 19 May 2017, at 14:53, Luc Paulin <[hidden email]> wrote:
>
> Hi all,
> I was wondering if it would be something possible to assign vlan based on
> the authentication type.
>
> I would like to enable wireless access to all user so they can login using
> the AD credentials. However corporate system would have to use a
> certificate so they can be place in another vlan in order to be able access
> corporate resource.
>
> Any other byod/security suggestions is welcome!
>

Easy enough.  Just some unlang in post-auth should do the trick.

To assign the vlan for AD based logins simply assign the VLAN in the inner-tunnel post auth. e.g.:


post-auth {

         update reply {
          &Tunnel-Medium-Type := "IEEE-802"
                &Tunnel-Type := “VLAN"
                &Tunnel-Private-Group-Id := “5678"
                &Termination-Action := "RADIUS-Request"
         }

        update {
                &outer.session-state: += &reply:
        }






Then in the outer tunnel post-auth add the vlan override for cert based auth. e.g.:

post-auth {


if (&EAP-Type == 13) {
    update reply {
                                &Tunnel-Medium-Type := "IEEE-802"
                                &Tunnel-Type := “VLAN"
                                &Tunnel-Private-Group-Id := “1234"
                                &Termination-Action := "RADIUS-Request"
                        }
}
else {
        update { &reply: += &session-state: }
}








Regards


Scott






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (169 bytes) Download Attachment
Loading...