Here is one policy that I wish to make work.
1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis configuration on the switch) --> this client has some of the following LDAP attributes: uid = bobalice radiusTunnelPrivateGroupID = 20 radiusTunnelType = VLAN radiusMediumType = IEEE-802 radiusCallingStationId = 00-21-42-42-87-b1 radiusUserCategory = ADMIN 2- Fisrt I want to checkthe following attributes, and if not correct, reject the user: radiusTunnelType = VLAN radiusMediumType = IEEE-802
Are those two attributes in the access request? If they are, map them as check items in ldap.attrmap.
radiusCallingStationId = 00-21-42-42-87-b1
This is already in ldap.attrmap.
radiusUserCategory = ADMIN
Where is that suposed to come from?
3- Then I want to authenticate and authorise the user if login/password are correct
Fine. Nothing to do.
4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based on this attribute: radiusTunnelPrivateGroupID = 20
Map that as reply item in ldap.attrmap. You will need tunnel and medium type in the reply as well. So add them too. Ivan Kalik Kalik Informatika ISP