Setting vlan tag based on authentication/authorization source

Alan DeKok aland at nitros9.org
Thu Jun 29 22:18:09 CEST 2006


"Tom Whitehouse" <tomw at cs.york.ac.uk> wrote:
> This all works, and I now need to check multiple Samba password 
> files and depending on which one contains the users credentials 
> return a VLAN tag to the switch.
...
> and tried using realms and Autz-Type in the authorize section and 
> changing User-Name to Stripped-User-Name, but this doesn't work with 
> EAP.

  There should really be a page in the docs somewhere saying realms
are mainly for proxying...

  In your case, my suggestion is the following:

 - add 2 new "string" attributes to the dictionary, Something-Group &&
   Something-User
 - use regular expressions in the "hints" file to match the incoming
   User-Name, and create Something-Group and Something-User.  e.g.

DEFAULT User-Name =~ "(.*)x(.*)"
	Something-Group = `%{1}`,
	Something-User = `%{2}`

  Keep the rlm_passwd config, but change the key from User-Name to
Something-User.  Oh, and delete the "authtype = MS-CHAP" config.  It
probably should be removed from the server entirely.

  - in the "users" file, key off of Something-Group...

  This all presumes that the users log in with realms, so *they* tell
the server which group they belong in.

  Alan DeKok.



More information about the Freeradius-Users mailing list