dynamic VLAN assignment w/ mschapv2 against AD and LDAP

schilling schilling2006 at gmail.com
Tue Jan 25 00:40:40 CET 2011

Thanks a lot.

More questions.

If you want to lower the load (and authentication latency) on your AD
servers then you might want to look at the following too:


I am trying to follow your comment on this.  I now realized we used to
run eDir and now converted to iplanet directory. Anyway, do I still
need to enable the compilation --with-edir option as stated below? My
guess is yes since otherwise, I could not call ldap in the post-auth
section in "auth" virtual server for eap.
#  Un-comment the following to disable Novell
		#  eDirectory account policy check and intruder
		#  detection. This will work *only if* FreeRADIUS is
		#  configured to build with --with-edir option.
		#edir_account_policy_check = no

What I want to do is just to check some attribute in our ldap server,
our structure is like the following:
# extended LDIF
# LDAPv3
# base <ou=people,dc=foo,dc=edu> with scope subtree
# filter: uid=sding
# requesting: ALL

# sding, People, foo.edu
dn: uid=sding,ou=People,dc=foo,dc=edu
ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE
fooEduPSHRdeptName: Information Technology Service (ITS)
fooEduPSHRDepartmentNumber: 123456
fooEduEmployeeStatus: Active
employeeStatus: Active
uid: sding

I would like to cache the following attribut/value in your example
cache_ldap-userdn.pm, so I can use these values as logic to assign
user to different VLANs.  Can I do that in your pm?
fooEduPSHRdeptName: Information Technology Service (ITS)
fooEduPSHRDepartmentNumber: 123456
fooEduEmployeeStatus: Active
employeeStatus: Active



On Mon, Jan 24, 2011 at 4:38 PM, Alexander Clouter <alex at digriz.org.uk> wrote:
> schilling <schilling2006 at gmail.com> wrote:
>> I am trying to play with your configuration, basically I have a
>> virtual server call auth as your example, and modified my eap.conf for
>> peap to use auth.
>> what's the config:local.MY.realm? My debug showed
> Phil pretty much covered it (and in a neater manner I was not aware
> could be used, but it is obvious now seeing it...), I put all the 'local
> site' specific details into a single configuration file (including
> SQL/LDAP binding credentials) so that if I want to give someone a copy
> of my config, ll I have to really do is trim the 'local' file and know I
> have not leaked anything important.
> For example, just after '$INCLUDE clients.conf' in the main radiusd.conf
> file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file
> is:
> ----
> local.MY.hostname               = iodine.it.soas.ac.uk
> local.MY.addr.v6                = 2001:630:1b:6004:168c:9d91:127f:bb0c
> local.MY.addr.v4                =
> local.MY.realm                  = soas.ac.uk
> local.addr.v6                   = 2001:630:1b:1001:624a::15bb
> local.addr.v4                   =
> local.test.username             = test-username
> local.test.password             = [ahem]
> local.ldap.server.1             = ldap1.soas.ac.uk
> local.ldap.server.2             = ldap2.soas.ac.uk
> local.ldap.username             = cn=cheese,ou=is,o=tasty
> local.ldap.password             = NOM
> local.sql.server                = sql.soas.ac.uk
> local.sql.username              = radius-username
> local.sql.password              = oh-so-very-secret
> local.cert.password             = omg-do-not-tell-anyones
> [snipped]
> $INCLUDE ${confdir}/LOCAL/templates.conf
> $INCLUDE ${confdir}/LOCAL/policy.conf
> $INCLUDE ${confdir}/LOCAL/proxy.conf
> $INCLUDE ${confdir}/LOCAL/clients/
> ----
> Cheers
> --
> Alexander Clouter
> .sigmonster says: Riches cover a multitude of woes.
>                                -- Menander
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list