cancel
Showing results for 
Search instead for 
Did you mean: 

UAC: use variables in RADIUS Return Attributes?

steven.deboeck_
New Contributor

UAC: use variables in RADIUS Return Attributes?

Hi all,

Does anyone know if it's possible to use variables in Radius Return Attribute Policies with UAC? We are currently using a Juniper IC 4500 with release 3.1R5 for Network Access Control.

For 'dumb' devices (printers, terminals, ...) we use MAC-based authentication. All MAC addresses are stored in an LDAP database, along with an LDAP attribute that identifies the VLAN they belong to. When a device connects to a switch, the switch sends a RADIUS Request with the MAC address to the IC. The IC searches the LDAP database and returns the VLAN ID to the switch.

Right now, I have to define a separate Radius Return Attribute Policy for each VLAN and link that policy to a separate role. In the MAC Address Realm, I have to define a separate Role Mapping Rule for each VLAN, e.g.

* If the LDAP attribute for the MAC address (userAttr.vlanId) equals 2, then assign the role that is linked to the Return Attribute Policy with VLAN ID 2.

* If the LDAP attribute for the MAC address equals 3, then assign the role that is linked to the Return Attribute Policy with VLAN ID 3.

* And so on...

It would be nice if I could just create one Radius Return Attribute Policy and use a variable (<userAttr.vlanId>) to specify the Radius attribute value. Does anyone know if that is possible?

Best regards,

Steven

1 REPLY 1
Raveen_
Regular Contributor

Re: UAC: use variables in RADIUS Return Attributes?

Hi Steve,

There is no mechanism to map ldap attributes to RADIUS defined ones in IC.

This may be possible with SBR.

Thank you.

Regards,

Raveen