assigning vlan based on LDAP attribute
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Wed Sep 27 18:35:31 CEST 2006
> I'm a bit confused on this one.
>
> I want my users vlan'd based on their affiliation (ie, staff,
> student) In my radiusd.conf file, under ldap, I've put:
>
> groupmembership_attribute = eduPersonPrimaryAffiliation
That's a good start, but sending the whole ldap configuration section would
help.
> Do I need to do more in my radiusd.conf file than that?
I think you hould check that you do not have groupname_attribute and
groupmembership_filter set.
> I assume this means assign them to a group based on the value
> stored in the LDAP field eduPersonPrimaryAffiliation
>
> I then added to my users file:
> DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff
> User-Name=`%{User-Name}`,
> Tunnel-Medium-Type=IEEE-802,
> Tunnel-Private-Group-Id=2,
> Tunnel-Type=VLAN,
> Fall-Through = no
There are several things to check here:
* is the NAS-IP-ADDRESS of the AccessPoint defined in the huntgroup "myAP"
in your huntgroups file ?
* is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP which uses
other format).
The best way to check this is to stop your radius server and run it manually
with "radiusd -X".
Then send the debug log to the list (take care passwords are written
cleartext).
> But this doesn't seem to work. My staff users do not get
> assigned to vlan 2. Do I need to make a huntgroup for myAP?
Of course... Unless you remove the "Huntgroup-Name == myAP," check item
HTH,
Thibault
More information about the Freeradius-Users
mailing list