Identity and Policy Control
Reply
Visitor
willem.redelijkheid@getronics.
Posts: 3
Registered: ‎02-03-2011
0
Accepted Solution

[UAC] Creating location awareness in role mapping

Hi all,

 

I've a customer with a Juniper Network (FW, EX-Switches, UAC, SA, the works). They have a 10+ story building with (Juniper) wireless. Wireless is implemented with two Wireless Controllers. The idea is to assign the users on each floor a specific VLAN for that floor. Wireless authentication is done by using 802.1x (UAC). The reason for this is that we want to limit the amount of users to max 500 per vlan (/23).

 

Since all the AP's are connected to the Wireless Controllers I only have 1 RADUIS source address for filtering on originating traffic. The RADIUS messages contain the name and SSID of the Access Point used by the client, so I can filter on that (especially if we use a good naming convention for the AP's).

The only problem is that RADIUS Request Policies can ONLY be used in selecting a realm. While it would be more logical to have this attribute on the role mapping part in the UAC. Having one realm with multiple role-mappings is more logical than working with a lot of realms with only one role-mapping per realm. I would also guess that processing realm could be more CPU/performance intensive that the role-mapping part.

 

So, with the current situation I would need to create 10+ REALMS (at least one for every floor) if I want to assign wireless users in the VLAN for their floor.

 

B.t.w. Static VLAN assignment is not an option. Same goes for different SSID's etc. for each floor.

 

I appreciate any insights into this matter.

Distinguished Expert
Raveen
Posts: 562
Registered: ‎04-15-2010
0

Re: [UAC] Creating location awareness in role mapping

Hi,

 

Yes, your use-case requires 10 different realms.

You might not be able to do role-mapping based on Radius-attributes if authentication server is system-local, AD, LDAP etc.. However, role-mapping based on radiu-attributes is allowed if backend is again another Radius server.

 

Radius request policies are available at realm level to enforce the checks or restrictrictons even before actual authentication and it makes perfect sense to me.

 

Role mapping happens after authentication against local or backend server, and it is costly operation.

 

Note: If I have answered your question, you could mark this post as accepted solution, that way it would help others as well. A kudos will be bonus thanks!!

 

Thank you.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.