ldap filter depending on NAS

tnt at kalik.net tnt at kalik.net
Wed Apr 22 13:43:26 CEST 2009


> Here is one policy that I wish to make work.
>
> 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis
> configuration on the switch)
> --> this client has some of the following LDAP attributes:
>           uid = bobalice
>           radiusTunnelPrivateGroupID = 20
>           radiusTunnelType = VLAN
>           radiusMediumType = IEEE-802
>           radiusCallingStationId = 00-21-42-42-87-b1
>           radiusUserCategory = ADMIN
> 2- Fisrt I want to checkthe following attributes, and if not correct,
> reject the user:
>           radiusTunnelType = VLAN
>           radiusMediumType = IEEE-802

Are those two attributes in the access request? If they are, map them as
check items in ldap.attrmap.

>           radiusCallingStationId = 00-21-42-42-87-b1

This is already in ldap.attrmap.

>           radiusUserCategory = ADMIN

Where is that suposed to come from?

> 3- Then I want to authenticate and authorise the user if login/password
> are correct

Fine. Nothing to do.

> 4 - Then Move him into the appropriate VLAN ID 20 instead of  ID10 based
> on this attribute:
>         radiusTunnelPrivateGroupID = 20

Map that as reply item in ldap.attrmap. You will need tunnel and medium
type in the reply as well. So add them too.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list