On Fri, May 22, 2009 at 1:03 PM, Ivan Kalik <t...@kalik.net> wrote: > >> Problem: >> >> I want to enforce different access policies for users depending on who >> they are and where they try to authenticate. >> >> (1) If students or teachers try to authenticate on the wired lan I >> want my dot1x capable NAS to provide access only if they user has a >> computer cert and valid domain credentials > > You enforce computer authentication on your hardware. If there is no mac > auth bypass computer certificates will have to be used.
I am not sure what you mean by "mac auth bypass." Can you explain. I think I am able to enforce certificate usage all of the time but I am not sure how to enforce it only on certain NAS and not require it on other NAS. > > Numbers of users should determine which policy (let's call this one > wired_vlan) should go first. > >> (2) If students try to connect via the student wireless lan they must >> only receive access if they are a member of the Active Directory based >> "student wireless users group", e.g. no staff member should be able to >> join. > > This is straightforward use of huntgroups/sqlhuntgroups in combination > with Ldap-Group (your AD should be configured in ldap module). > >> (3) If teachers try to connect via the teacher wireless lan, I want >> them to connect only if they HAVE a computer cert AND they have valid >> credentials. e.g only members of the Active Directoy based "staff >> group" using computers with a valid host credential may receive >> access. > > This combination of two above. > > Create huntgroups/sqlhuntgroups wired_vlan, student_vlan and teacher_vlan. > Then put this in authorize (inner-tunnel, where ldap + preprocess is > enabled if you are using huntgrups file or you have ldap + unlang > statements described in sql huntgroups howto): > > if(Huntgroup-Name == "student_vlan" && Ldap-Group == "student") { > ok > } > elsif(Huntgroup-Name == "wired_vlan") { > ok > } > elsif(Huntgroup-Name == "teacher_vlan" && Ldap-Group == "staff") { > ok > } > else { > reject > } > > That will allow only users with valid credentials accessing with stated > vlans or vlan/group combinations. Thanks Ivan, So this policy would check the huntgroup that the NAS was a member of and then go on to check if the users was part of the proper Ldap-Group and assuming that both were true then access would be granted. I am still not clear how some hunt groups will always require a host cert and others never will. Is this set in the hunt group? Alan, I can't wait for your book to be published! Thanks for your reply. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html