Dynamic Vlan Allocation based on LDAP Attribute Value

Paul Dealy pdealy at gmail.com
Fri Feb 13 11:54:29 CET 2009 

On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff
<misch at multinet.de> wrote:
> Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy:
>> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff
>>
>> <misch at multinet.de> wrote:
>> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy:
>> >> I have a working radius server (ver 1.1.3). which I am using for
>> >> 802.1x authentication of wired switch ports.  I would like to
>> >> dynamically assign users vlans.  I have cisco gear and have achieved
>> >> basic vlan allocation by configuring a Default entry in the users
>> >> file.   So the vlan allocation part works ok.
>> >>
>> >> What I want to be able to do is allocate the vlan by matching the
>> >> value of an LDAP attribute.  Not by group membership, but the actual
>> >> value of a users attribute.  Is this possible?
>> >>
>> >> Cheers,
>> >> Dealy
>> >
>> > Yes. Just assign these attributes to the user object in LDAP.
>>
>> I have a value set for an attribute in LDAP, how do I "extract" the
>> value from the attribute  and do a comparison on it in the users file
>> so I can set the VLAN?
>
> Hi,
>
> I don't remember exactly what I did on version 1. Please see:
> http://vuksan.com/linux/dot1x/802-1x-LDAP.html
> for some hints.
>
> I had something like
>
> DEFAULT Auth-Type .= LDAP
>        Reply-Message = "Auth by LADP"
>
> in my users file. Other attributes stored in an object of objectClass
> radiusprofile should be added automatically to the Reply attributes.

I don't actually want to add radiusprofile attributes to my LDAP.  The
users already have an attribute which identifies their department.  I
want to be able to say if "department attribute = X then allocate VLAN
Y".  Can this be done without specifically setting the vlan etc as
radiusprofile attributes.  Also I am not using ldap for the
authentication, just authorization.  The authentication is done using
ntlm_auth.

>
> It is much simpler in verison 2 of FreeRADIUS. It nearly works out of the box.
> Just uncomment the ldap part in authorization and authentication sections.
>
> Greetings,
>
>
> --
> Dr. Michael Schwartzkopff
> MultiNET Services GmbH
> Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
> Tel: +49 - 89 - 45 69 11 0
> Fax: +49 - 89 - 45 69 11 21
> mob: +49 - 174 - 343 28 75
>
> mail: misch at multinet.de
> web: www.multinet.de
>
> Sitz der Gesellschaft: 85630 Grasbrunn
> Registergericht: Amtsgericht München HRB 114375
> Geschäftsführer: Günter Jurgeneit, Hubert Martens
>
> ---
>
> PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
> Skype: misch42
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list