MAC auth with LDAP

Alan DeKok aland at
Fri Nov 16 23:58:39 CET 2018

On Nov 16, 2018, at 5:13 PM, Victor Cenac <victor at> wrote:
> I have a Juniper network where we assign devices to vlans based on their
> MAC. The MACS are stored in an LDAP with the MAC as username and password.
> The group membership is what distinguishes the vlan needed.

  That should be simple enough,

> I managed to configure the ldap and enable the ldap module. FreeRADIUS
> starts fine with it. I also added all the switches as clients.


> I need help figuring out:
> 1. Where do I tell FreeRADIUS to look for users in ldap (vs the users file)?


  Look for "ldap".   And, raddb/mods-available/ldap

  See also  Search for "ldap".  It has lots of documentations.

> 2. Where do I match the group in ldap with the vlan number that needs to be
> sent to the client (switch)? For example, for group Staff value is 10 (vlan
> 10).

  You don't map LDAP names directly to VLANs.  They might be "sales", and you can't use "sales" as a VLAN number.

  Instead, do this:

	if (LDAP-Group == "staff") {
		update reply {
			Tunnel Type = VLAN
			Tunnel-Medium-Type := IEEE-802
			Tunnel-Private-Group-Id := 10

  Alan DeKok.

More information about the Freeradius-Users mailing list