Dynamic VLAN attribute in LDAP or AD?

Jason Alderfer jha2 at emu.edu
Tue Aug 18 21:18:09 CEST 2009


> So, I'm trying to use 802.1x dynamic VLAN assignment.  I have this
> working when I conf the "users" file.  However, I don't want to
> create/maintain the users file for 2,000 users!
>
> Is there an attribute in AD / LDAP I can use for the dynamic VLAN?
> Ideally I could do this at the "Group" level, such that when a user
> moves from one group to another their automagically assigned to the
> correct VLAN.

If you're using version 2.0.5 or higher you can do this with unlang as
follows.  This example sets the vlan based on the user's DN, but you
should be able to modify it to look at your group membership attribute. 
Repeat for all relevant ldap groups.

if (control:Ldap-UserDn =~ /ou=div,o=org/i) {
        update reply {
             Tunnel-Type := "VLAN"
             Tunnel-Medium-Type := "IEEE-802"
             Tunnel-Private-Group-Id := 9
        }
}





More information about the Freeradius-Users mailing list