LDAP - dynamic membership checking

Jens Weibler jens.weibler at h-da.de
Sat Dec 31 16:35:47 CET 2011

On 31.12.2011 10:56, Christian Kölpin wrote:
> I'am stuck while testing with LDAP an Radius. I'am get Radius to work
> with user authorisation against LDAP and authentication against
> kerberos. Even if i set a "simple" membership checking in ./modules/ldap
> it works fine.
> My problem is, I have several NAS (Some APs, Switches, VPN-Servers).
> Depending on the NAS another group-Membership should be checked . For
> example a user with memberships in "wireless" and "office-vpn" should
> get access if the request comes from the APs or a specific VPN-Server.
> Can someone give me a hint, how to setup such a szenario?

my solution

DEFAULT Huntgroup-Name == "switches", Ldap-Group == "coolguys"
         Tunnel-Type = VLAN,
         Tunnel-Medium-Type = "IEEE-802",
         Tunnel-Private-Group-ID = "1337"

# Switch XY
all             NAS-IP-Address == X.Y.Z.131, NAS-Port >= 1,NAS-Port <= 30
coolguys    NAS-IP-Address == X.Y.Z.131, NAS-Port >= 31,NAS-Port <= 40

Jens Weibler

Hochschule Darmstadt
University of Applied Sciences

Fachbereich Informatik
Schöfferstr. 8b
D-64295 Darmstadt
Tel  +49 6151 16-8425
Fax +49 6151 16-8935
jens.weibler at h-da.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4678 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111231/7f23c310/attachment.bin>

More information about the Freeradius-Users mailing list