assigning vlan based on LDAP attribute

Matt Ashfield mda at unb.ca
Wed Sep 27 18:07:13 CEST 2006


I'm a bit confused on this one.

I want my users vlan'd based on their affiliation (ie, staff, student) In my
radiusd.conf file, under ldap, I've put:

groupmembership_attribute = eduPersonPrimaryAffiliation

Do I need to do more in my radiusd.conf file than that?


I assume this means assign them to a group based on the value stored in the
LDAP field eduPersonPrimaryAffiliation

I then added to my users file:
DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff
       User-Name=`%{User-Name}`,
       Tunnel-Medium-Type=IEEE-802,
       Tunnel-Private-Group-Id=2,
       Tunnel-Type=VLAN,
       Fall-Through = no

But this doesn't seem to work. My staff users do not get assigned to vlan 2.
Do I need to make a huntgroup for myAP? 

If there's a link to an overview or something, it would be much appreciated.

Any help is appreciated.

Thanks

Matt 
mda at unb.ca 


-----Original Message-----
From: Thibault Le Meur [mailto:Thibault.LeMeur at supelec.fr] 
Sent: July 28, 2006 5:37 PM
To: FreeRadius users mailing list; Thibault Le Meur
Cc: mda at unb.ca; FreeRadius users mailing list
Subject: Re: assigning vlan based on LDAP attribute

> One way to do that is to use LDAP groups. If your users are in 
> dedicated LDAP groups, then a rule like the following in your "users" 
> file will do the trick:
> DEFAULT Huntgroup-Name == myAP, Ldap-Group == Engineering
>        User-Name=`%{User-Name}`,
>        radiusTunnelMediumType: IEEE-802
>        radiusTunnelType: VLAN
>        radiusTunnelPrivateGroupId: 2
>        Fall-Through = no

Sorry... my mistake, use the following rule instead:

DEFAULT Huntgroup-Name == myAP, Ldap-Group == Engineering
       User-Name=`%{User-Name}`,
       Tunnel-Medium-Type=IEEE-802
       Tunnel-Private-Group-Id=2
       Tunnel-Type=VLAN
       Fall-Through = no

Thibault





More information about the Freeradius-Users mailing list