groupmembership and vlan assignment
Matt Ashfield
mda at unb.ca
Wed Jul 23 15:29:20 CEST 2008
Hello
We have been using the groupmembership attribute in radius.conf to assign
users to the appropriate vlans. Up until now we've done it based on the type
of LDAP user they are (ie, staff, student, faculty, etc..):
groupmembership_attribute = eduPersonPrimaryAffiliation, (where
eduPersonPrimaryAffliation=staff, student, facult, etc..)
Unfortunately, our student vlans have grown significantly large and we want
to take measures to make them smaller. We have looked into using LDAP
entitlement fields. There are however a few issues here:
- The eduPersonEntitlement attribute is not unique. A user record
can have multiple instances of this attribute for each different entitlement
they have.
- The eduPersonEntitlement attribute has a value that is not simply
the name of a vlan. It is typically something like:
eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1
So I'd need to parse the value as well to pull out the vlan name, in this
case "student1".
I'm unsure how to get around these two issues. Any suggestions are welcome.
Thanks
Matt
mda at unb.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080723/2e9a6a3b/attachment.html>
More information about the Freeradius-Users
mailing list