seb2020 <girard.seb@gmail.com> wrote:
I will do what you say me ! I will make one SSID and check with the group my user with the OU of the user.
My user is by example : user.group.locality.tree
How I can retreive the numbers of letters in my loginname ? And this verification, I need to make in this file /site-avaible/inner-tunel ? with something like that ? But how i can retreive the length of the username with this code ? Use Regex ?
modules/ldap:
ldap { basedn = "ou=%{Tmp-String-0},o=XXX" ... }
sites-available/...
authorize { if (username have 3 letters) { update request { Tmp-String-0 = "ou=xx,ou=xx" } } elsif (username have 8 letters) { update request { Tmp-String-0 = "ou=xx,ou=xx" } } }
That's not going to work to great, it's also horrible :) If you do not have the option to use 'Ldap-Group' (you should be able to use LDAP groups, otherwise, why are you using LDAP?) to test group membership, then you will need to use something like what's below.
In finally, I want to put my students in the VLAN students, and the staff in the VLAN staff
The 'RFC' way to do it is add something like the following to your post-auth{} section ('authorize'/'authenticate' will Reject invalid users): ---- # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised" Termination-Action := RADIUS-Request Session-Timeout := 300 Acct-Interim-Interval := 3600 } if (request:User-Name =~ /^.{3}$/) { update reply { Tunnel-Private-Group-Id := "staff" } } elsif (request:User-Name =~ /^.{8}$/) { update reply { Tunnel-Private-Group-Id := "student" } } if (reply:Tunnel-Private-Group-Id != "unauthorised") { update reply { # Cisco only support a max of 65535 Session-Timeout := 64800 } } ---- Aruba might expect something different, so you should check with *them* (remember, this is a FreeRADIUS support mailing list, *not* an Aruba one). Cheers -- Alexander Clouter .sigmonster says: A vivid and creative mind characterizes you.