filter-ID study

filter-ID 是其中一個attribute 定義在 RFC RADIUS
https://tools.ietf.org/html/rfc2865

主要目的是可以根據access-accept 所傳回的attribute來分群組
但是NAS也需要設定支援這些attribute 才行。

RADIUS其中也定義包含有filter id 以外的attributes

merraki 的文章，精簡文的參考
https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply_Group_Policies

dynamic VLAN configuration

dynamic VLAN configuration

Topology

 2008 R2 NPS server

active directory need to config group, and add user account into group

NPS->network policy set 3 attributes for dynamic VLAN

tunnel-type :vlan

tunnel-medium-type :802.1X

tunnel-private-group-ID : 4

2008 R2 NPS server set group and class or filter-id attribute

class and filter-ID is applying for identify the user group in "access-accept" of RADIUS packets, and then NAS will base on this attribute to identify the user role.

In general, freeradius can create account + class attribute for grouping users
But NPS can't bind user account and group at the same time.
The followings guide how to build relationship to account and class attribute.

1.create group at active directory

2.bind user into group

3.create network policy + configure class attribute, like teacher or student

4.configure class attribute, remove service type and frame protocol first

Once user authenticated successfully, the account will earn a user role for group the users. Like teacher and student and then managed them by firewall policy.