<div dir="ltr">I am running Freeradius 2.2.4 and am not quite sure where to go with this. I have read the documentation, but my need does not quite match.<div><br></div><div>We have the standard EAP-PEAP setup where users are authenticated against AD via ntlm-auth. What I need to do is add an authorization check to determine if a users should get a specific VLAN attribute sent back or be placed in a default VLAN (This is so we can only allow access to library resources to those that should be allowed).</div>
<div><br></div><div>Now, if I had a LDAP group that contained these I could use a simple group setup listed in the <a href="http://wiki.freeradius.org/modules/Rlm_ldap">http://wiki.freeradius.org/modules/Rlm_ldap</a> page. My problem is, the attribute that contains the data about the affiliation is a multi valued attribute</div>
<div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div>UMICHINSTROLES</div><div><div style="font-family:arial,sans-serif;font-size:13px"><li style="margin-left:15px">StudentAA, StudentDBRN, and StudentFLNT (continuing and incoming students regardless of enrollment; includes detached study);</li>
<li style="margin-left:15px">EnrolledStudentAA, EnrolledStudentDBRN, EnrolledStudentFLNT (enrolled in at least one credit hour for ""current"" term; next term information is used during gap between terms)</li>
<li style="margin-left:15px">AlumniAA, AlumniDBRN, AlumniFLNT (any person who has completed at least one semester in a degree-granting program)</li><li style="margin-left:15px">FacultyAA, FacultyDBRN, FacultyFLNT (defined as academic, instructional, and research appointments; includes emeritus faculty)</li>
<li style="margin-left:15px">RegularStaffAA, RegularStaffDBRN, RegularStaffFLNT (current appointment with a status of active, suspended, short-work break, leave, or paid leave);</li><li style="margin-left:15px">TemporaryStaffAA, TemporaryStaffDBRN, TemporaryStaffFLNT (current appointment with a status of active, suspended, short-work break, leave, or paid leave)</li>
<li style="margin-left:15px">Retiree (retired from any U-Mcampus, regardless of other appoints that may still be active)</li><li style="margin-left:15px">SponsoredAffiliateAA, SponsoredAffiliateDBRN, SponsoredAffiliateFLNT (has at least one departmental sponsorship). </li>
</div><div style="font-family:arial,sans-serif;font-size:13px"><div dir="ltr"></div></div></div></blockquote><div><div dir="ltr"><div><br></div><div>Is there a way to make the group match a specific set of these values? (I can do that with the Cisco VPN DAP policies) Something along these lines (again based on group section from wiki)l</div>
<div><br></div></div></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><div dir="ltr"><div><pre>post-auth {
if (LDAP-Group == "umichinstroles=*FacultyAA") {
Assign VLAN Special
}
elsif (LDAP-Group == "umichinstroles=*StudentAA") {
<span style="font-family:arial">Assign VLAN Special</span><br>
}
else {
<span style="font-family:arial">Assign VLAN Default</span><br>
}
}</pre><pre><br></pre></div></div></div></div></blockquote><span style="white-space:pre"><font face="arial, helvetica, sans-serif">Another path of thought was to specify a filter in the LDAP module config to something like this.</font></span><div>
<font face="monospace"><span style="white-space:pre"><br></span></font><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="monospace"><span style="white-space:pre"><div> filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(|(umichinstroles=*AffiliateAA)(umichinstroles=*FacultyAA)(umichinstroles=*StudentAA)(umichinstroles=*StaffAA)))"</div>
<div><br></div></span></font></div></blockquote><span style="white-space:pre"><font face="arial, helvetica, sans-serif">So that works as far as only responding if a user matches one of those, but then how would I apply a VLAN for them and leave everyone else in a default VLAN?</font></span></div>
<div><span style="white-space:pre"><font face="arial, helvetica, sans-serif"><br></font></span></div><div><span style="white-space:pre"><font face="arial, helvetica, sans-serif">There must be a way to do this but my lack of LDAP knowledge is not helping me see how to do this and the guides I find do not seem help.</font></span></div>
<div><span style="white-space:pre"><font face="arial, helvetica, sans-serif"><br></font></span></div><div><span style="white-space:pre"><font face="arial, helvetica, sans-serif">Any help would be appreciated.<br></font></span><div>
<div><div><div dir="ltr"><div>------------------------</div><div>Walter Reynolds<br></div>Principal Systems Security Development Engineer<br>Information and Technology Services<br>University of Michigan<br>(734) 615-9438</div>
</div>
</div></div></div></div>