25 Nov
2011
25 Nov
'11
8:59 a.m.
Seems that I'm slowly getting it.
To authorize subscriber you should make a decision based on both subscriber profile and authentication result. This is what post-auth section does. Put your authorization policies in this section. So do I understand this correctly: if I, for example, want to put a client into a VLAN according to the EAP-TLS certificate issuer, the recommended way to to that is to use unlang to check %Client-Cert-Issuer in the post-auth section and use the "update reply" command to set the Tunnel-Private-Group-Id reply attribute?