set 'Tunnel Private Group ID' based on OU in certificate?

Carl Wahlin cwahlin at
Thu Feb 23 19:51:33 CET 2006

> What I'm doing to set these, is via the rlm_sql module.
> The tables are pretty straight forward, and could be manipulated
> programmatically.   The sql tables are setup just like the users file,
> and has group support and all.
> Maybe when you issue the cert, you could do some inserts into the DB?
> -Bob

Sounds like something I should take a look at. I don't think I would need
a separate entry for each cert. I would need one for each group of users
belonging to ie. an OU. Not sure if I would be able to do this with the
rlm_sql module, but I'll take a look.


> Carl Wahlin wrote:
>> Hello,
>> Quite new to radius, so this might be a stupid question. Although I have
>> been searching google for the last 2 hours trying to find the answer
>> without any luck...
>> So, we are testing ciscos new Airespace wlan controller and would like
>> to
>> map users based on "OrganizationalUnit" (or something else) in the
>> certificate to a specific VLAN. Cisco calls this feature of changing
>> default values with radius "AAA override". There are a few more things
>> you
>> can change (QoS profile etc), but we are only interested in the VLAN for
>> now. I have managed to get it working for all EAP authentications but
>> that
>> does not at all serve my needs more than that I see that my wlan
>> controller interprets the radius message correctly.
>> DEFAULT Auth-Type := EAP
>>         Tunnel-Type = 13,
>>         Tunnel-Medium-Type = 6,
>>         Tunnel-Private-Group-Id = 2
>> So how can I get selective and change the Group-Id based on stuff in the
>> certificate?
>> /Carl W.
>> -
>> List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list