Does anyone know if it's possible to use variables in Radius Return Attribute Policies with UAC? We are currently using a Juniper IC 4500 with release 3.1R5 for Network Access Control.
For 'dumb' devices (printers, terminals, ...) we use MAC-based authentication. All MAC addresses are stored in an LDAP database, along with an LDAP attribute that identifies the VLAN they belong to. When a device connects to a switch, the switch sends a RADIUS Request with the MAC address to the IC. The IC searches the LDAP database and returns the VLAN ID to the switch.
Right now, I have to define a separate Radius Return Attribute Policy for each VLAN and link that policy to a separate role. In the MAC Address Realm, I have to define a separate Role Mapping Rule for each VLAN, e.g.
* If the LDAP attribute for the MAC address (userAttr.vlanId) equals 2, then assign the role that is linked to the Return Attribute Policy with VLAN ID 2.
* If the LDAP attribute for the MAC address equals 3, then assign the role that is linked to the Return Attribute Policy with VLAN ID 3.
* And so on...
It would be nice if I could just create one Radius Return Attribute Policy and use a variable (<userAttr.vlanId>) to specify the Radius attribute value. Does anyone know if that is possible?