fr group howto

Hegedus Gabor hegedus.gabor at euroway.hu
Tue Dec 9 14:36:26 CET 2008


Hi all!

I have 802.1x authentication, which works.
I want use dynamic vlan assignment:
The radius authenticate the user (use ntlm_auth)
and after this, it use ldap to get user indormation form database 
(username=samaccount name).
ldap.attrmap changes the attributes and send to the switch, it is okay.

It is not so confortable, I wanna try something else:

1. I create groups: vlan21, vlan333, and so on. expand the vlan schema 
with 3 attrib (you know  VLAN, IEEE-802, and VLANID). I put users and 
computers to the groups.
How can I get users vlan info,  I can't  create  ldap query, cos :
- i have samaccount name what is not the cn, and the "member", "member 
of" attribs  are contains cn.
i don't know how can i do a good query, the good attrib is in vlanXY group.
- get vlan? ok but i have just samaccount name, no cn
- get user? ok  but  the good  attribs  is in the vlan group

how?

2. I don't expand the vlanXY schema, I get user info(by samaccname) 
contains "member of" attr, and in the freeradius user file I create 
group. If group in the users file equals "member of" attrib send back 
the vlan info to the switch:
(i know it is not good yet)
DEFAULT Ldap-Group == "cn=vlan10,ou=vlans,dc=test,dc=hu"
                Tunnel-Type = VLAN,
                Tunnel-Medium-Type = IEEE-802,
                Tunnel-Private-Group-Id = 10,
                Reply-Message = "You are in vlan 10"

ldap modul:
 groupname_attribute = cn
 groupmembership_filter = 
"(&(memberof=cn=vlan10,ou=vlans,dc=test,dc=hu)(samaccountname=%{mschap:user-name}))"
## i know it is bad, but what is the good

do you understand what i want?

I test both prospect, pls help

Thx Gabor







More information about the Freeradius-Users mailing list