assigning vlan based on LDAP attribute

Matt Ashfield mda at unb.ca
Wed Sep 27 19:25:13 CEST 2006 

I think part of my problem is that I do not have the vlans defined in the
Access Point. I incorrectly assumed that the AP would receive the vlan info
from the Radius server, and tag all outgoing packets from the wireless
client with that tag. However, I'm starting to think that that is completely
incorrect?! I should probably be creating all the vlans within the AP right?
If that's the case, it looks like I need a separate SSID per Vlan (using
Avaya gear here). I really hope that is not the case.

Thanks

Matt
mda at unb.ca 


-----Original Message-----
From: Thibault Le Meur [mailto:Thibault.LeMeur at supelec.fr] 
Sent: September 27, 2006 2:03 PM
To: mda at unb.ca
Cc: 'FreeRadius users mailing list'
Subject: RE : RE : assigning vlan based on LDAP attribute

> 
> My ldap section from radiusd.conf looks like:
> ldap {
>                 server = "ldapserver.net.org"
>                 identity = "uid=name,dc=net,dc=org"
>                 password = password
>                 basedn = "ou=stuffdc=net,dc=org"
>                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                 start_tls = no
>                 dictionary_mapping = ${raddbdir}/ldap.attrmap
>                 ldap_connections_number = 5
>                 password_attribute = userPassword
>                 groupmembership_attribute = 
> eduPersonPrimaryAffiliation
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
>         }
It seems ok to me...

> 
> My users file contains the following at the end:
> DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff
>        User-Name=`%{User-Name}`,
>        Tunnel-Medium-Type=IEEE-802,
>        Tunnel-Private-Group-Id=2,
>        Tunnel-Type=VLAN,
>        Fall-Through = no
> 
> My huntgroups file has:
> myAP            NAS-IP-Address == x.x.x.141
> 
> In my Debug I noticed that although I have them commented out 
> of radiusd.conf, I still see:
> Debug:  ldap: groupname_attribute = "cn"
> Debug:  ldap: groupmembership_filter = 
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obje
> ctClass=GroupO
> fUniqueNames)(uniquemember=%{Ldap-UserDn})))"


Strange...


> You asked:
> * is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP 
> which uses other format). How do I check that?

Check in your AP documentation ?

But this format is the most commonly used, so I don't think this is the
issue.

Can you send a more complete debug.

Thibault

More information about the Freeradius-Users mailing list