assigning vlan based on LDAP attribute

Thibault Le Meur Thibault.LeMeur at supelec.fr
Wed Sep 27 18:35:31 CEST 2006


 
> I'm a bit confused on this one.
> 
> I want my users vlan'd based on their affiliation (ie, staff, 
> student) In my radiusd.conf file, under ldap, I've put:
> 
> groupmembership_attribute = eduPersonPrimaryAffiliation

That's a good start, but sending the whole ldap configuration section would
help.

> Do I need to do more in my radiusd.conf file than that?

I think you hould check that you do not have groupname_attribute and
groupmembership_filter set.

> I assume this means assign them to a group based on the value 
> stored in the LDAP field eduPersonPrimaryAffiliation
> 
> I then added to my users file:
> DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff
>        User-Name=`%{User-Name}`,
>        Tunnel-Medium-Type=IEEE-802,
>        Tunnel-Private-Group-Id=2,
>        Tunnel-Type=VLAN,
>        Fall-Through = no

There are several things to check here:
* is the NAS-IP-ADDRESS of the AccessPoint defined in the huntgroup "myAP"
in your huntgroups file ?
* is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP which uses
other format).

The best way to check this is to stop your radius server and run it manually
with "radiusd -X".

Then send the debug log to the list (take care passwords are written
cleartext). 

> But this doesn't seem to work. My staff users do not get 
> assigned to vlan 2. Do I need to make a huntgroup for myAP? 

Of course... Unless you remove the "Huntgroup-Name == myAP," check item

HTH,
Thibault






More information about the Freeradius-Users mailing list