Owen DeLong wrote:
We have historically used the AuthorizedService attribute in LDAP to control the level of access available to the user. We would like to continue to do so. However, in order for that to work, I need to map AuthorizedService to different RADIUS attributes in the response depending on the authentication client.
Do it in two steps. Map the AuthorisedService LDAP attribute to a RADIUS attribute (invent a local one, see the dictionary docs), and then depending on the NAS, map that to another attribute. The reason for doing it this way is that the LDAP -> RADIUS attribute mapping is simple, and should be kept simple.
Ideally, I'd like to be able to map RADIUS clients into "groups" and have a mapping of AuthorizedService values for each group. The client groups would, ideally, be defined by matching the client IP address. An example of what I'd like that mapping to look like is below:
Use rlm_passwd to map clients to groups (see it's documentation), and then the "users" file to map AuthorizedService to another RADIUS attribute, as described above.
Alan, your flames and RTFM comments are welcome, but, please understand, I've done my best to RTFM before posting this.
As I tell my co-workers, "Remember, there are no stupid questions. There are only stupid people.". And they still speak to me after that. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog