This article created to show how radius attribute “Filter-id” can be used to apply different role dynamically to wireless end device according to the group of user or PC.
[Active directory configuration]
PC named EXTREME-PC is registered as a member on the domain
This PC is assigned to the group named MAC-PC
NPS policy for this group of PC made on NPS server, and use radius attribute Filter id of which name is same with role in EWC. In below case, it is "MACBOOK".
[ NPS configuration on Windows 2012 server ]
[ role configuration on Identifi controller ]
- Filter-id name and role name configured on the controller must be same.
[ policy rule of the role ]
[ cos configuration of the role ]
As a result, the traffic from the PC named EXTREME-PC classified as QP3 according to the role configured on Identifi controller.
[Switch config ]
create qosprofile "QP3"
configure dot1p type 3 qosprofile QP3
[result ]
# show ports 47 qosmonitor no-refresh
Port Qos Monitor
Port QP1 QP2 QP3 QP4 QP5 QP6 QP7 QP8
Pkt Pkt Pkt Pkt Pkt Pkt Pkt Pkt
Xmts Xmts Xmts Xmts Xmts Xmts Xmts Xmts
=================================================================
47 1659 0 1379024 0 0 0 0 110
[ Authentication result on NPS ]
shows that this PC matched with the condition named MAC BOOK.
shows that this PC matched with the condition named MAC BOOK.
Different role named CIL_MOD1 is applied to the other user named wuser1,even though this user also connected to the same SSID named test1.
[ client information on Identifi controller ]
Identifi also has another feature named VLAN ID & role mapping. it is possible to apply dynamic role based on the Tunnel-private-Group-ID.
No comments:
Post a Comment