filter-ID 是其中一個attribute 定義在 RFC RADIUS
https://tools.ietf.org/html/rfc2865
主要目的是可以根據access-accept 所傳回的attribute來分群組
但是NAS也需要設定支援這些attribute 才行。
RADIUS其中也定義包含有filter id 以外的attributes
merraki 的文章,精簡文的參考
https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply_Group_Policies
4/28/2016
dynamic VLAN configuration
dynamic VLAN configuration
Topology
2008 R2 NPS server
active directory need to config group, and add user account into group
NPS->network policy set 3 attributes for dynamic VLAN
tunnel-type :vlan
tunnel-medium-type :802.1X
tunnel-private-group-ID : 4
4/27/2016
2008 R2 NPS server set group and class or filter-id attribute
class and filter-ID is applying for identify the user group in "access-accept" of RADIUS packets, and then NAS will base on this attribute to identify the user role.
In general, freeradius can create account + class attribute for grouping users
But NPS can't bind user account and group at the same time.
The followings guide how to build relationship to account and class attribute.
1.create group at active directory
2.bind user into group
3.create network policy + configure class attribute, like teacher or student
4.configure class attribute, remove service type and frame protocol first
Once user authenticated successfully, the account will earn a user role for group the users. Like teacher and student and then managed them by firewall policy.
In general, freeradius can create account + class attribute for grouping users
But NPS can't bind user account and group at the same time.
The followings guide how to build relationship to account and class attribute.
1.create group at active directory
2.bind user into group
3.create network policy + configure class attribute, like teacher or student
Once user authenticated successfully, the account will earn a user role for group the users. Like teacher and student and then managed them by firewall policy.
訂閱:
文章 (Atom)