VLAN Queries [SEC=UNCLASSIFIED]
Ranner, Frank MR
Frank.Ranner at defence.gov.au
Thu May 3 03:24:23 CEST 2007
> -----Original Message-----
> From:
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
eradius.org [mailto:freeradius-users->
bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On
> Behalf Of Jacob Jarick
> Sent: Wednesday, 2 May 2007 18:28
> To: FreeRadius users mailing list
> Subject: VLAN Queries
>
> Salutations all,
>
> I will be attempting VLAN assignment tomorrow via FR + ADS +
> cisco wap.
>
> 1st Question: Is it possible to assign VLAN based solely on
> what ldap server authorized it. (The sites we are looking @
> have 1 domain server for staff and 1 for students).
>
> 2: Ive been looking @ Mat Ashfields email query regarding
> vlans, it looks nice and straight forward to me, my only
> query: Is the ldap group automatically fetched or is some
> extra configuration needed under the ldap modules or ldap.attrbmap.
>
> Mats Example:
>
> DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff
> User-Name=`%{User-Name}`,
> Tunnel-Private-Group-Id=176,
> Tunnel-Type=VLAN,
> Fall-Through = no
>
> DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student
> User-Name=`%{User-Name}`,
> Tunnel-Private-Group-Id=177,
> Tunnel-Type=VLAN,
> Fall-Through = no
>
An ldap group query is triggered by the presence of the Ldap-Group
attribute in the users file. The query uses the groupmembership_filter
to locate the entry relevent to the user and matches the groupname in
the
groupmembership_attribute. For active directory, you probably want the
memberOf attribute in the person record.
Something like (radiusd.conf):
groupmembership_filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
groupname_attribute = memberOf
Regards
Frank Ranner
More information about the Freeradius-Users
mailing list