UC Davis Information & Educational Technology

Preferred VLAN Attribute in LDAP (For Use By Raduis Server)

Quick Links

Lead

Tom Arons, Infrastructure Architect: tgarons@ucdavis.edu; (530) 752-1750

Status
  • We have identified several candidate VLANs, both in and out of IET. We will be asking the sysadmins for user lists. Once this is done we can move forward with the static population of LDAP with the preferred VLAN--phase one of the project.
Goals
  • Enable department network administrators to populate the campus LDAP servers with lists of users authorized to access departmental VLANs via wireless connections
  • Implement an attribute that can be used by Identity engines (Radius server) in policy to select a preferred VLAN, rather than the default MobilenetX.
  • Extend department VLANs into wireless infrastructure (limited access to VLAN information/file shares)
  • Incorporate as a standard feature in controller-based wireless upgrade (anywhere access to VLAN information/file shares)
  • Establish equivalent or better security than a wired connection
  • Address current security issues with numerous de-centralized deployments of wireless systems.
Target Audience
  • All campus wireless users who would like or need access to a departmental VLAN.
Implementation Approach

Proof of Concept:
Phase I (March 2007)

  • Define a preferred VLAN attribute in LDAP for multiple department static deployment (loaded manually based on info provided by departmental SysAdmins)
  • Modifications to existing LDAP (preferred VLAN attribute) and lists of users from network SysAdmins
  • Estimated time needed: 1 week

Phase II (Spring 2007)

  • Create multiple valued “eligible” VLAN attribute, statically populated by info provided by departmental SysAdmins
  • Further modifications to LDAP (eligible VLAN attribute) and human readable VLAN lookup table (see above)
  •  VLAN lookup table translating existing VLAN codes to human readable descriptions
  • End User GUI allowing users to select preferred VLAN from eligible VLANs
  • End User GUI – will likely reside on existing hardware
  • Estimated time needed: 2-3 weeks

Production:
Phase III (TBD)

  • Administrative GUI for departmental SysAdmin that allows them to populate a user list of eligible VLANs and an authorization list for VLAN (Network Administrator List)
  • Administrative GUI and Network Contact List on existing hardware
  • Estimated time needed: TBD