# LAN

## Basics

1. To create a LAN rule, add an **item** under the **Rule collection** hive and select **LAN Rule.** 
2. Give the rule a **Name** that explains for what the rule is used for. Furthermore, a descriptive name will help you to identify authentication requests processed by this rule in your logs easily later on.
3. Do not forget to **Enable** the rule!

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2FUOUphTbSTuuLth3qbJPY%2Fimage.png?alt=media&#x26;token=2db549d8-e8c2-478f-aed2-5359dee73cdf" alt=""><figcaption></figcaption></figure>

## **Authentication**&#x20;

Under the **Authentication** hive, your first choice is whether you want to allow or decline **Certificate-based** or **Username/Password-based** authentication for this rule.

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2FJIHnZ7xbdp7PokWFvhmC%2Fimage.png?alt=media&#x26;token=e3880e99-3190-4526-b5b6-8a1c322c6493" alt=""><figcaption><p>Showing LAN authentication</p></figcaption></figure>

### **Certificate-based authentication**

For certificate-based authentication you have the following choices to further constrain incoming authentication requests.

#### Allow only specific CAs (Trusted CAs)

This allows you to narrow down incoming authentication requests to specific trusted root or issuing CAs. Those CAs can be a subset of all Trusted Roots you have configured on the RADIUSaaS platform.

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2Fc184Hbgpc7A4pXwVijBu%2Fimage.png?alt=media&#x26;token=ef578c60-f94d-45de-b8ae-abb4d0a8c860" alt=""><figcaption><p>Showing Trusted Root CA filtering</p></figcaption></figure>

#### Filter for Intune IDs&#x20;

This is a historical setting. If your clients are authenticating with certificates that your clients received during the AAD-Join, you want to filter for your Intune Tenant ID.&#x20;

In case you have entered your Tenant IDs as described [here](https://docs.radiusaas.com/admin-portal/trusted-roots#intune-id), the default behaviour of RADIUSaaS is that only machines presenting a certificate with extension OID **1.2.840.113556.5.14** and a whitelisted value for the Tenand ID will get access to the network. With the rule engine, you now have the option to further restrict the access to specific Intune IDs for a specific rule or to ignore the certificate extension. This allows you to have a multi-deployment setup, where some clients come with certificates providing the respective OID and some do not.&#x20;

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2FrCV0pP2IQokPNWmoC7uf%2Fimage.png?alt=media&#x26;token=72ba2cba-a6be-4612-b9e5-cc0ba292927d" alt=""><figcaption><p>Showing Intune ID filtering</p></figcaption></figure>

### Username/Password-based authentication

After enabling **Username/Password-based** authentication, you can apply additional filtering by configuring a Regex on the **Username**. Default is all Usernames.

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2FM3HNz7JIAE9cyljyKe6J%2Fimage.png?alt=media&#x26;token=3fe45cc1-a4cd-44b0-9dd7-f4c715f64211" alt=""><figcaption><p>Showing Username / Password-based authentication</p></figcaption></figure>

## Configuration

Under the **Configuration** hive you are able to configure additional filter criteria based on the origin of authentication requests as well as assign VLAN IDs.

### Switch filter

{% hint style="info" %}
This MAC address filter allows you to permit specific **switches** to communicate with RADIUSaaS. **This is not a MAC address filter for endpoints!**
{% endhint %}

To set a **MAC-Address-based** switch filter, either select **Addresses** or **Groups**.&#x20;

* If you select **Addresses**, you can specify multiple switch MAC addresse&#x73;**.**&#x20;
* If you select **Groups,** you can reference one or more of your pre-defined **MAC Address Groups**.&#x20;

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2FuFN1nqVZ9KsHylsfaENq%2Fimage.png?alt=media&#x26;token=6100905d-d909-434c-9ac9-e8ed295a3a5a" alt=""><figcaption><p>Showing MAC address filtering</p></figcaption></figure>

The following notations are supported for the MAC addresses:

* xx-xx-xx-xx-xx-xx
* xx:xx:xx:xx:xx:xx
* xxxxxxxxxxxx

### VLAN assignment

{% hint style="info" %}
In case you require vendor-specific VLAN return attributes, you can manage them [here](https://docs.radiusaas.com/admin-portal/settings/general-structure#vlan-attributes).
{% endhint %}

The RADIUSaaS rule engine provides several ways to assign Virtual-LAN IDs. The following options are available:

#### Static

* Statically specify the VLAN ID which should be assigned based on the related rule

#### By Certificate Extension

{% hint style="info" %}
Currently it is not supported to add custom certificate extensions to SCEP profiles in many MDM systems, including Microsoft Intune and JAMF.

We therefore recommend to use the [Certificate Subject Name](#by-certificate-subject-name) of the certificate instead to add a VLAN assignment.
{% endhint %}

* Select one of your created Certificate Extensions
* The filter is set to match the Value to your specified extension (OID)
* Wildcards will be translated to .\* Regex

#### By Certificate Subject Name Property

You can also assign VLAN IDs based on properties in the Subject Name of your certificate. For example, if you wanted to assign VLAN 15 in your Rules and you are using Intune to define and deploy your SCEP profile, you will need to configure the **Subject name format** in your SCEP profile such as `CN={{DeviceId}},`**`OU=vlan-15`**

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2Fsh5zSDL1dCVenDgS8cdq%2Fimage.png?alt=media&#x26;token=2dac4a32-6616-4f8c-8169-29c095cae282" alt=""><figcaption><p>Showing VLAN ID configuration in SCEP Device Certificate</p></figcaption></figure>

Once the profile is deployed, go back to **RADIUSaaS** > **Rules** and specify in which property the VLAN ID is stored and configure the string the VLAN ID is prefixed with. e.g. `vlan-`

{% hint style="info" %}
The VLAN ID is not required to have a prefix. However, it can be useful in case your Subject Name carries the same attribute more than once (e.g. several CN's are quite common).
{% endhint %}

As an example, the following rule will assign the VLAN ID 15 based on the `Subject Name` attribute `OU` prefixed with `vlan-`

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2F5aDliFWCsqDh2dd9wXkr%2Fimage.png?alt=media&#x26;token=a9cd28b9-36dc-4fad-99b8-d55244bc66f8" alt=""><figcaption><p>Showing VLAN filtering</p></figcaption></figure>

![](https://content.gitbook.com/content/SWU1DQ4UGkqER7uGNUOm/blobs/BkaDrlChuy8gxYtQFwnJ/image.png)

### Additional RADIUS attributes

{% hint style="info" %}
In case you require return attributes that are not available by default, please add them [here](https://docs.radiusaas.com/admin-portal/settings/general-structure#radius-attributes).
{% endhint %}

The RADIUSaaS rule engine provides several ways to return additional RADIUS attributes (besides the VLAN ID). The following options are available:

#### Static

Statically specify the return attribute(s) and their value(s) which should be assigned based on the related rule.

#### By Certificate Extension

{% hint style="info" %}
Currently it is not supported to add custom certificate extensions to SCEP profiles in many MDM systems, including Microsoft Intune and JAMF.

We therefore recommend to use the [Certificate Subject Name](#by-certificate-subject) of the certificate instead to add a VLAN assignment.
{% endhint %}

* Select one of your created Certificate Extensions
* The filter is set to match the Value of the specified return attribute to your specified extension (OID)
* Wildcards will be translated to .\* Regex

#### By Certificate Subject Name Property

* You can also return additional RADIUS attributes based on properties in the Subject Name of your certificate
* Therefor, specify in which property the return attribute value is stored
* Then, configure which string the return attribute value is prefixed with
* The value provided in the Subject Name property is not required to have a prefix. However, it can be required to use a prefix in case your Subject Name carries the same attribute more than once (e.g. several CN's are quite common).