On 23/12/2016 13:18, Valentin Heidelberger wrote:
Now I am just wondering where exactly I would have to put that one config, which was suggested: In your authorize section. Cleanest approach would be to write a policy section in a file under policy.d, and then invoke that from within your authorize { ... } section in the main server.
(Aside: I've tried doing policy in the 'authenticate' or 'post-auth' section but I had some issue to do with the configurable failover behaviour. I'd have to dig out the details of exactly why it behaved strangely. But putting stuff in the 'authorize' section is straightforward).
Besides I am wondering, if someone has ever tried to do this via LDAP? Is Radius capable of using a LDAP attribute to match a VLAN to a user logging in.
Sure. The exact details will depend on your network setup. Here's a starting point: group_authorization { if (&Huntgroup-Name == "wifi") { if (&Called-Station-Id =~ /:SSID Student$/ && ( &LDAP-Group[*] == "cn=students,cn=groups,cn=accounts,dc=example,dc=com" || &LDAP-Group[*] == "cn=staff,cn=groups,cn=accounts,dc=example,dc=com")) { ok } elsif (&Called-Station-Id =~ /:SSID Staff$/ && &LDAP-Group[*] == "cn=staff,cn=groups,cn=accounts,dc=example,dc=com") { ok } else { update { &reply:Reply-Message := "Not authorized for wifi" } reject } } } Then in your main server something like: authorize { ... ldap group_authorization }