multuple ldap freeradius ssid
Alexander Clouter
alex at digriz.org.uk
Mon May 16 15:43:08 CEST 2011
seb2020 <girard.seb at gmail.com> wrote:
>
> I will do what you say me ! I will make one SSID and check with the group my
> user with the OU of the user.
>
> My user is by example : user.group.locality.tree
>
> How I can retreive the numbers of letters in my loginname ?
> And this verification, I need to make in this file /site-avaible/inner-tunel
> ? with something like that ? But how i can retreive the length of the
> username with this code ? Use Regex ?
>
> modules/ldap:
>
> ldap {
> basedn = "ou=%{Tmp-String-0},o=XXX"
> ...
> }
>
> sites-available/...
>
> authorize {
> if (username have 3 letters) {
> update request {
> Tmp-String-0 = "ou=xx,ou=xx"
> }
> }
> elsif (username have 8 letters) {
> update request {
> Tmp-String-0 = "ou=xx,ou=xx"
> }
> }
> }
>
That's not going to work to great, it's also horrible :)
If you do not have the option to use 'Ldap-Group' (you should be able to
use LDAP groups, otherwise, why are you using LDAP?) to test group
membership, then you will need to use something like what's below.
> In finally, I want to put my students in the VLAN students, and the staff in
> the VLAN staff
>
The 'RFC' way to do it is add something like the following to your
post-auth{} section ('authorize'/'authenticate' will Reject invalid
users):
----
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := "unauthorised"
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (request:User-Name =~ /^.{3}$/) {
update reply {
Tunnel-Private-Group-Id := "staff"
}
}
elsif (request:User-Name =~ /^.{8}$/) {
update reply {
Tunnel-Private-Group-Id := "student"
}
}
if (reply:Tunnel-Private-Group-Id != "unauthorised") {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
----
Aruba might expect something different, so you should check with *them*
(remember, this is a FreeRADIUS support mailing list, *not* an Aruba
one).
Cheers
--
Alexander Clouter
.sigmonster says: A vivid and creative mind characterizes you.
More information about the Freeradius-Users
mailing list