Dynamic VLAN attribute in LDAP or AD?
Jason Alderfer
jha2 at emu.edu
Tue Aug 18 21:42:54 CEST 2009
> Where coudl I put this code Authorize, autenticate, postatuh, ldap module?
Authorize
>>> So, I'm trying to use 802.1x dynamic VLAN assignment. I have this
>>> working when I conf the "users" file. However, I don't want to
>>> create/maintain the users file for 2,000 users!
>>>
>>> Is there an attribute in AD / LDAP I can use for the dynamic VLAN?
>>> Ideally I could do this at the "Group" level, such that when a user
>>> moves from one group to another their automagically assigned to the
>>> correct VLAN.
>>
>> If you're using version 2.0.5 or higher you can do this with unlang as
>> follows. This example sets the vlan based on the user's DN, but you
>> should be able to modify it to look at your group membership attribute.
>> Repeat for all relevant ldap groups.
>>
>> if (control:Ldap-UserDn =~ /ou=div,o=org/i) {
>> update reply {
>> Tunnel-Type := "VLAN"
>> Tunnel-Medium-Type := "IEEE-802"
>> Tunnel-Private-Group-Id := 9
>> }
>> }
More information about the Freeradius-Users
mailing list