LDAP Group assign to vlan after AD user authentication
Arnaud Loonstra
arnaud at z25.org
Mon Jan 23 14:48:51 CET 2012
On 01/19/2012 11:25 AM, James wrote:
> Hi,
>
> I've successfully set up a radius server to support 802.1x
> authentication using peap mschapv2 and samba to authenticate users
> against AD.
> To do this I followed configuration on the freeradius.org website and
> the AD integration howto on deployingradius.com, thank you very much
> for writing these!
>
> I now need to assign the vlan due to membership of some group in AD
> and I understand that an ldap lookup is needed.
>
> Where in the configuration do I check this group and map it to a vlan?
> Can I do it as a default entry in the users file or is it needed
> somewhere else?
>
> Thank you very much,
>
> James
Hi James,
I don't know anything about AD and I presume you are using the latest FR.
I'm currently testing an ldap-group check in authorize using unlang:
This is part of a switch statement:
case 'NAS-Prompt-User' {
my-ldap
#Check if user is member of a certain group
if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
update reply {
Service-Type := "Administrative-User"
}
}
#else DENY
else {
update control {
Auth-Type := reject
}
}
}
But I reckon you could also do something like that in post-auth section
if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
This works for me :) it might as well for AD.
Rg,
Arnaud
--
Stichting z25.org
Concordiastraat 67A
3551 EM Utrecht
The Netherlands
+31-(0)6-41861063
More information about the Freeradius-Users
mailing list