Dynamic Vlan Allocation based on LDAP Attribute Value

Michael Schwartzkopff misch at multinet.de
Fri Feb 13 12:16:40 CET 2009


Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy:
> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff
>
> <misch at multinet.de> wrote:
> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy:
> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff
> >>
> >> <misch at multinet.de> wrote:
> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy:
> >> >> I have a working radius server (ver 1.1.3). which I am using for
> >> >> 802.1x authentication of wired switch ports.  I would like to
> >> >> dynamically assign users vlans.  I have cisco gear and have achieved
> >> >> basic vlan allocation by configuring a Default entry in the users
> >> >> file.   So the vlan allocation part works ok.
> >> >>
> >> >> What I want to be able to do is allocate the vlan by matching the
> >> >> value of an LDAP attribute.  Not by group membership, but the actual
> >> >> value of a users attribute.  Is this possible?
> >> >>
> >> >> Cheers,
> >> >> Dealy
> >> >
> >> > Yes. Just assign these attributes to the user object in LDAP.
> >>
> >> I have a value set for an attribute in LDAP, how do I "extract" the
> >> value from the attribute  and do a comparison on it in the users file
> >> so I can set the VLAN?
> >
> > Hi,
> >
> > I don't remember exactly what I did on version 1. Please see:
> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html
> > for some hints.
> >
> > I had something like
> >
> > DEFAULT Auth-Type .= LDAP
> >        Reply-Message = "Auth by LADP"
> >
> > in my users file. Other attributes stored in an object of objectClass
> > radiusprofile should be added automatically to the Reply attributes.
>
> I don't actually want to add radiusprofile attributes to my LDAP.  The
> users already have an attribute which identifies their department.  I
> want to be able to say if "department attribute = X then allocate VLAN
> Y".  Can this be done without specifically setting the vlan etc as
> radiusprofile attributes.  Also I am not using ldap for the
> authentication, just authorization.  The authentication is done using
> ntlm_auth.

Then you would habe to re-map some LDAP-attribute of your objectClass to 
Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and Tunnel-Medium-Type=IEEE-802 
could be set in the DEFAULT section of the users file.

Please see the ldap.attrmap in your raddb dir for the mapping of attributes.

Greetings,

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: misch at multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42




More information about the Freeradius-Users mailing list