Integration with FreeRadius to work 802.1x and dynamic VLANs

[Jon Knight]

On Tue, 17 Jun 2014, Christopher R. Hertel wrote:
> There is no integration between the two.  802.1x is a network access control
> protocol.  It works at a much lower level than Samba.  802.1x controls
> whether or not your device (workstation, tablet, smartphone, etc.) is
> permitted to send packets on the network.  Samba provides network file
> services.  These things occur at very different layers in the protocol stack.
>
> The only integration that would be sensible would be to use a common
> authentication database.  Samba might be useful there.  Once again, that
> integration would occur well above the 802.1x layer.

We use FreeRADIUS against our campus Active Directory (which is Windows 
server based rather than Samba).  Effectively the Linux based FreeRADIUS 
servers are bound into the AD using winbind (see, Samba is involved ;-) ) 
and then one of the configured authentication paths checks NTLM 
credentials against the AD and either allows or disallows access as a 
result.

You could also do LDAP lookups to find which groups users are in, which 
you can then combine with Perl scripting on the FreeRADIUS server to dump 
the users on whatever VLANs you want based on group membership.  You 
could, for example, add machines known to contain viral material into an 
"infected machines" group in the AD and then pop them on a restricted VLAN 
that only lets them see AV tools and patching/update sites.

But really this sort of question is probably better directed to the 
FreeRADIUS mailing lists as it is more a function of that package than 
Samba itself.

J.