|
Hello We have been using the groupmembership attribute in radius.conf
to assign users to the appropriate vlans. Up until now we’ve done it
based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where
eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large
and we want to take measures to make them smaller. We have looked into using LDAP
entitlement fields. There are however a few issues here: -
The eduPersonEntitlement attribute is not unique. A
user record can have multiple instances of this attribute for each different
entitlement they have. -
The eduPersonEntitlement attribute has a value that is
not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I’d need to parse the
value as well to pull out the vlan name, in this case “student1”. I’m unsure how to get around these two issues. Any
suggestions are welcome. Thanks Matt mda@unb.ca |