|
Nobody replied to my original
post, and I got to thinking, would I be able to use wildcards in my users file
to achieve this when looking for which Ldap-Group the user has been placed in? i.e. DEFAULT FreeRADIUS-Proxied-To ==
127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group =~ “.*staff1”, Autz-Type
:= Ldap1, Auth-Type := Ldap1 Where unbldap-Ldap-Group gets
set via groupmembership_attribute = eduPersonPrimaryAffiliation and eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=staff1
in LDAP Thanks Matt Ashfield mda@unb.ca From:
freeradius-users-bounces+mda=unb.ca@lists.freeradius.org
[mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf
Of Matt Ashfield Hello We have been using the groupmembership attribute in
radius.conf to assign users to the appropriate vlans. Up until now we’ve done
it based on the type of LDAP user they are (ie, staff, student, faculty,
etc..): groupmembership_attribute = eduPersonPrimaryAffiliation,
(where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly
large and we want to take measures to make them smaller. We have looked into
using LDAP entitlement fields. There are however a few issues here: -
The eduPersonEntitlement attribute is not unique. A
user record can have multiple instances of this attribute for each different
entitlement they have. -
The eduPersonEntitlement attribute has a value that is
not simply the name of a vlan. It is typically something like: eduPersonEntitlement:
urn:mace:uni.ca:wireless?vlan=student1 So I’d need to parse the value
as well to pull out the vlan name, in this case “student1”. I’m unsure how to get around these two issues. Any
suggestions are welcome. Thanks Matt mda@unb.ca |