ldap filter depending on NAS

Alan DeKok aland at deployingradius.com
Thu Apr 23 10:59:00 CEST 2009


Matthieu Lazaro wrote:
> OK, so tell me where to implement complex policies?

  I've been trying.

  You need to write down what you have (in RADIUS packets, LDAP, etc.).
 You need to write down what you want (contents of reply packets,
behaviors, etc.).  You then need to write down a process for converting
one into the other.

  This is programming.  It is practically and theoretically impossible
to describe how to write any program.  You MUST figure it out for yourself.

> And when you say "that cannot be implemented with the LDAP module", do
> you mean that all those fields added by RADIUS-LDAPv3.schema are useless?

  Ah, yes.  You didn't get *exactly* what you wanted, so you're looking
for ways to fight back, and claim that the software is crappy.

> And finally, can you say that when a dumb users plugs in the wrong VLAN,
> like a admin VLAN, I cannot deny him or put him automatically in the
> right VLAN with radius?

  I didn't say that, and no amount of distortion of my messages could
lead you to believe I said that.

  You seemed to have turned my response of "assign users into a vlan",
into "you cannot assign users into a vlan".  While ingenious, it is
distinctly unproductive.

  As a simple hint: Why the HELL do you care which VLAN the user is
requesting?  Just assign them to the right VLAN.  If the switch doesn't
enforce that VLAN assignment, then BLAME THE SWITCH.  Don't blame
FreeRADIUS, like most people do in this situation.

  Again, you are going out of your way to create complexity where none
is necessary.  This causes you to be confused about how the server
works.  It causes you to try to configure impossible things.  It causes
you to be rude on the list when we tell you "don't do it that way."

  Alan DeKok.



More information about the Freeradius-Users mailing list