Re-write Attributes based upon NAS-Port-Type and LDAP authorization response
Alan DeKok
aland at nitros9.org
Mon Jun 26 20:51:00 CEST 2006
"Bill Carr" <bcarr at commsolutions.com> wrote:
> My pseudo-code thought process is outlined below (I'm not a coder, would
> never profess to be; thus my post!):
>
> if NAS-Port-Type == "Wireless - IEEE 802.11"
>
> then
>
> Tunnel-Medium-Type == IEEE-802
> Tunnel-Type == VLAN
>
> if Filter-ID =~ "Internet-Restricted"
That won't work. The NAS doesn't send Filter-Id. You've got to
configure the server to send the correct response back.
> My reading thus far has lead me to test my reply attribute requirements
> from the "users" file and that works perfectly. If someone could point
> me in a simple direction on how to strip/rewrite the attributes based on
> the 'authorization' reply from LDAP, I'd be indebted.
I don't see why that's necessary. Configuring the server to do
something, then re-do what it already did as something else, is a bad
idea. It's hard to configure, and prone to problems.
Instead, configure the server to match on something, and send a
reply. It's a lot easier.
> I've seen examples of profiles stored on LDAP, but I'm curious how
> I could choose a different profile based upon the "NAS-Port-Type"
> received in the Access-Request
You put the NAS-Port-Type into the LDAP query. That's hwy the
queries are configurable.
Alan DeKok.
More information about the Freeradius-Users
mailing list