25916 – VLAN-Zuordnung via 802.1x/RADIUS

Bug 25916 - VLAN-Zuordnung via 802.1x/RADIUS

Summary: VLAN-Zuordnung via 802.1x/RADIUS

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Radius
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 enhancement
Target Milestone:	UCS 5.0-1-errata
Assignee:	Peter Stoll
QA Contact:	Dirk Wiesenthal

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:	54662
	Show dependency tree / graph

Reported:	2012-01-25 08:03 CET by Sönke Schwardt-Krummrich
Modified:	2022-05-11 17:52 CEST (History)
CC List:	8 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022012621000922
Bug group (optional):
Customer ID:	00006
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2012-01-25 08:03:51 CET

Neben Benutzername und (gehashtem) Passwort wird z.B. auch die MAC-Adresse
des WLAN-Clients an den Radius-Server übermittelt. Es gibt in IEEE 802.1x
Extensions, über die man einem geeigneten Accesspoint mitteilen kann, mit
welchem VLAN der WLAN-Client schließlich verbunden werden soll. Es wäre 
dann möglich, die WLAN-Clients z.B. in VLANs für Internet-Only und 
schulweiten Zugriff aufzuteilen.
Es würde die Komplexität jedoch deutlich erhöhen (Angabe der VLANs; 
Zuordnung der VLANs nach Benutzername oder MAC/Rechner; ...).

Comment 1 Michel Smidt 2017-04-03 15:29:40 CEST

It would be handy to send the role (student, teacher, admin, ..) back as well. Current enterprise switches/router/aps can do quality of service on RADIUS attributes and some potential customers asked me if this would be possible do include. A configuration like this could be used to shape the traffic role based.

Comment 2 Jürn Brodersen

2021-06-10 16:36:18 CEST

Has been asked for again.
Moved to product ucs because the ucs@school radius implementation now builds on top of the ucs integration.

Comment 3 Dirk Schnick

2022-02-03 15:59:51 CET

Another customer asks for the feature. Ticketnumber attached.

Comment 4 Jürn Brodersen

2022-02-03 16:00:19 CET

A cool solution for this exists:
https://www.univention.de/blog-de/2017/10/wlan-fuer-schultraeger-byod-gyod/

The cool solution is using memberUid which is case sensitive. This is producing problems in a customer environment. We should change this to uniqueMember to be case insensitive.

Comment 7 Peter Stoll

2022-03-16 17:19:29 CET

Considering implementation according to descript in issue epic: https://git.knut.univention.de/groups/univention/-/epics/110

Comment 8 Dirk Wiesenthal

2022-05-04 10:42:23 CEST

univention-radius.yaml
de9882c936b7 | Bug #25916: YAML

univention-radius (7.0.1-9)
ce701037fc04 | Bug #25916: Add new ldap attribute VLAN-ID to be added to the radius response according to RFC 3580

ucs-test (10.0.6-108)
ce701037fc04 | Bug #25916: Add new ldap attribute VLAN-ID to be added to the radius response according to RFC 3580

Documentation
e31b6b3a8142 | fixup! Bug #25916: Add new UCR variable to appendix
dda6e6a54ee9 | Bug #25916: Add new UCR variable to appendix

Comment 9 Dirk Wiesenthal

2022-05-11 14:02:37 CEST

Works on new installations: OK
Does not break on updates (Joinscript version was not increased): OK
Code: OK
Tests: OK
YAML: OK

Comment 10 Julia Bremer

2022-05-11 17:52:26 CEST

<https://errata.software-univention.de/#/?erratum=5.0x305>