assigning vlan based on LDAP attribute
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Fri Jul 28 22:19:58 CEST 2006
> I'm trying to add a user to a vlan based on an ldap attribute. I've checked
> out: http://vuksan.com/linux/dot1x/802-1x-LDAP.html annd saw the following
> would have to be added to the user's ldap record:
> radiusTunnelMediumType: IEEE-802
> radiusTunnelType: VLAN
> radiusTunnelPrivateGroupId: 2
Yes that's usually the syntax, but it might depend on you switch/AP, so
check the docs of your device.
> If I don't want to actually insert that into the LDAP database, is it
> possible for Radius to figure out which vlan to assign to based on some
> other already existing LDAP attribute?
One way to do that is to use LDAP groups. If your users are in
dedicated LDAP groups, then a rule like the following in your "users"
file will do the trick:
DEFAULT Huntgroup-Name == myAP, Ldap-Group == Engineering
User-Name=`%{User-Name}`,
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusTunnelPrivateGroupId: 2
Fall-Through = no
> For example, if I want to assign
> users whose userDepartment attribute equals ITS into vlan 3 and those who's
> userDepartment attribute equals HR into vlan 4? If so, could you give me a
> link to how to do that, or explain briefly?
Ldap-Groups can be "true ldap groups" such as groupOfNames entries.
However, you may also want to map LDAP-Groups to the value of an
attribute inside the user's entry.
See the groupmembership_attribute in the ldap configuration section
# groupmembership_attribute: The attribute in the user entry that states
# the group the user belongs to.
Refer to the docs/rlm_ldap for more information
HTH,
Thibault
More information about the Freeradius-Users
mailing list