ldap filter depending on NAS
tnt at kalik.net
tnt at kalik.net
Thu Apr 23 12:03:00 CEST 2009
> I try to ask my questions more precisely:
> * what are the radius ldap attributes meant for? Is only for accounting
> or can we use them for something else?
They can be used for authorization as well. You put them in your
Access-Accept packet (reply) and if your switch supports those attributes
it does certain things (assigns VLANs, sets various timeouts, restricts
bandwidth etc.).
> * I have understood that it is better to put the user directly in the
> correct VLAN rather than checking his request and deny him: do I have to
> do something special in Radius to forward LDAP attributes info to the
> switch?
> ( I am reading again the switch's documentation to figure how to parse
> the attributes instead of using static vlans)
>
Ah, you should of done that first. Many vendors advertize "dynamic VLAN
assignment" but when you read through the documentation it turns out that
the assignment is static and that only thing "dynamic" about them is that
you can change them via a console. Make sure first that your switch
supports dynamic VLAN assignment via radius.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list