Re: IAS and dynamic vlans

jas0n <no@xxxxxxxxx> wrote in
news:MPG.1f975c1678a30d51989681@xxxxxxxxxxxxxxxxxxxx:

In article <1160568586.292812.34180@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
bt_hirosaito@xxxxxx says...
Hello Jason,

IAS can do this.

You will first have to choose an attribute how you want to assign your
vlan. Maybe based on the AD group membership, MAC Address or whatever.

And then you will only have to set up some attributes in your remote
access policies unter "Advanced":

Just add the following:

Tunnel-Type -> VLAN
Tunnel-Medium-Type -> 802
Tunnel-Pvt-Group-ID -> The NAME of the VLAN you want to assign, not
the VLAN-ID !!

And on your cisco switch you will only have to add one additional
command:

aaa authorization network default group radius

Then it will work.

Have fun !

Greetz Eric


Thanks for that ...

Is it possible to do this for multiple unconnected domains .. such as
several companies all sharing the same offices, network, etc but no
connection/trusts between their seperate domains - can ias query more
than one domain for this information?

Yes you can do this with IAS in Windows Server 2003, because you can
configure IAS as a proxy to forward requests to other domains. So let's say
you have a wireless AP and people from multiple domains (A. M, and Z) want
to log on to it in the same building.

Configure the AP as a RADIUS client of one IAS server, let's say in domain
M. Then configure the other IAS servers (in domains A and Z) in remote
RADIUS server groups and create a connection request policy for each
domain. So if the AP gets a connection request for domain A and one for
domain Z, it sends the connection request to the IAS proxy. Your proxy
policies tell IAS where to forward the requests for domain A and Z, even if
it is in domain M. Connection requests for users in domain M will be
processed locally. (And the IAS proxy has to be configured on domain A IAS
and domain Z IAS as a RADIUS client, too.)

The RADIUS server for each domain -- the IAS server that actually processes
the connection request -- then authenticates and authorizes the connection
request.

Authorization includes applying settings to the connection, which settings
you configure in remote access policy. So you add the VLAN attributes to
the remote access policy and IAS uses these to instruct the AP which VLAN
to put the client on. And what this means is you can even have multiple
VLANs per domain if you want. (Depends solely on the limitations or lack
thereof of your hardware like the AP.)

.

Relevant Pages

  • Re: VPN Broke
    ... I have uninstalled IAS. ... create a Connection Request Policy and I am able to walk thru the wizard to ... test button to see if it can authenticate to IAS, ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Broke
    ... I'm at a loss if you uninstalled IAS, because I'm not aware of anywhere else ... on the Security tab click Authentication Methods. ... create a Connection Request Policy and I am able to walk thru the wizard to ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Broke
    ... AFAIK connection request policies are an IAS thing (which obviously makes me ... "Connection Request Policies." ... test button to see if it can authenticate to IAS, ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Broke
    ... IAS had become corrupt. ... else the term "Connection Request Policy" is used. ... on the Security tab click Authentication Methods. ...
    (microsoft.public.windows.server.sbs)
  • Re: IAS and dynamic vlans
    ... IAS can do this. ... Tunnel-Type -> VLAN ... in remote RADIUS server groups and create a connection request policy ... The RADIUS server for each domain -- the IAS server that actually ...
    (microsoft.public.internet.radius)
Loading