Dynamic VLAN attribute in LDAP or AD?

Gary Gatten Ggatten at waddell.com
Mon Aug 24 18:14:19 CEST 2009 

So, by looking at this more carefully I'll have to do a bunch of
if/else's or cases?  What if for instance I have 500 departments/groups
- 500 different vlans?  I'll have to test each one?

I guess what I was hoping to do was something like:

Get attribute "n" for user y (where n = a value used for
Tunnel-Private-Group-Id"

THEN do the processing you mentioned:

update reply {
             Tunnel-Type := "VLAN"
             Tunnel-Medium-Type := "IEEE-802"
             Tunnel-Private-Group-Id := "n"
        }

Thoughts?

G


-----Original Message-----
From: Gary Gatten 
Sent: Monday, August 24, 2009 10:34 AM
To: 'FreeRadius users mailing list'
Cc: 'Jason Alderfer'
Subject: RE: Dynamic VLAN attribute in LDAP or AD?

I'm assuming I can do roughly the same thing with NTLM_AUTH?  I "have"
to use NTLM_Auth for 8021x (right? - at least all docs say this), so if
I don't HAVE to use LDAP all the better.

TIA!

Gary


-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.or
g] On Behalf Of Jason Alderfer
Sent: Tuesday, August 18, 2009 2:18 PM
To: FreeRadius users mailing list
Subject: Re: Dynamic VLAN attribute in LDAP or AD?


> So, I'm trying to use 802.1x dynamic VLAN assignment.  I have this
> working when I conf the "users" file.  However, I don't want to
> create/maintain the users file for 2,000 users!
>
> Is there an attribute in AD / LDAP I can use for the dynamic VLAN?
> Ideally I could do this at the "Group" level, such that when a user
> moves from one group to another their automagically assigned to the
> correct VLAN.

If you're using version 2.0.5 or higher you can do this with unlang as
follows.  This example sets the vlan based on the user's DN, but you
should be able to modify it to look at your group membership attribute. 
Repeat for all relevant ldap groups.

if (control:Ldap-UserDn =~ /ou=div,o=org/i) {
        update reply {
             Tunnel-Type := "VLAN"
             Tunnel-Medium-Type := "IEEE-802"
             Tunnel-Private-Group-Id := 9
        }
}


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

More information about the Freeradius-Users mailing list