On 01/19/2012 11:25 AM, James wrote:
Hi,
I've successfully set up a radius server to support 802.1x authentication using peap mschapv2 and samba to authenticate users against AD. To do this I followed configuration on the freeradius.org website and the AD integration howto on deployingradius.com, thank you very much for writing these!
I now need to assign the vlan due to membership of some group in AD and I understand that an ldap lookup is needed.
Where in the configuration do I check this group and map it to a vlan? Can I do it as a default entry in the users file or is it needed somewhere else?
Thank you very much,
James
Hi James, I don't know anything about AD and I presume you are using the latest FR. I'm currently testing an ldap-group check in authorize using unlang: This is part of a switch statement: case 'NAS-Prompt-User' { my-ldap #Check if user is member of a certain group if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") { update reply { Service-Type := "Administrative-User" } } #else DENY else { update control { Auth-Type := reject } } } But I reckon you could also do something like that in post-auth section if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 1 } } This works for me :) it might as well for AD. Rg, Arnaud -- Stichting z25.org Concordiastraat 67A 3551 EM Utrecht The Netherlands +31-(0)6-41861063