OpenDirectory VLAN Assignment by Group

Alan DeKok aland at
Mon Aug 20 20:23:22 CEST 2012

Theparanoidone Theparanoidone wrote:
> Previously using radius, we were able to assign VLAN based upon group membership using the following syntax in   /etc/raddb/users   :

  That should still work.

> Now with FreeRADIUS Version 2.1.12, we are unable to make the above syntax work anymore.

  Nonsense.  See the FAQ for "it doesn't work".

  It works  People use that syntax.  It's documented as working.  It
hasn't changed in about 10 years.

  Which version were you using?  You didn't say...

> After some reading, we stumbled upon a someone with a similar issue who claimed that you now have to place the post-auth section of   /etc/raddb/sites-enabled/default  ... we had to make some modifications to the syntax as well:

  Why would that be?

> While the above syntax does appear to properly assign the VLAN ... we are unable to match this against the Group-Name field  (so the following does not work): 

  <sigh>  See the FAQ for "it doesn't work".

> However ... we appear unable to get any variable to expand that relates to group.   (we have tried Group Group-Name Ldap-Group LDAP-Group gid group all without success).   It would be ideal to base VLAN membership off of group as opposed to individual user.

  Group-Name is Unix groups.

  You clearly changed something in your system.  But you didn't say
what.  You didn't say which version you were using.  You didn't say how
you upgraded.

> Questions:
> 1)  Is there a way to echo out *all* variables that radiusd -X has access to at the time of testing so we can perhaps see what field contains the valid group on?

  No.  Many "variables" are pulled from external databases, or things
like the Unix group file.  Printing out all of them is impossible,
because there may be hundreds.

> 2)  Does anyone know what the variable for groups we should be using is?


> 3)  Is there documentation that covers the change in syntax as I described above?  (... I'm sure just not finding it but I have been looking)

  The "users" file documentation?  Which hasn't changed in 10 years?

> (This is on the latest version of Apple's deployment of freeradius that relies on OpenDirectory)
> (We will try and contact Apple as well... but I'm imaging this request will be beyond their capabilities... echoing out all variables may get us a solution faster???)
> Thank you in advance for any advice or pointers to relevant documentation.

  What happened?  What changed?  You've been careful to avoid saying that.

  "Hi, stuff used to work.  Then I tried 2.1.12, and now stuff doesn't
work.  Why?"

  How do you expect anyone to be able to answer that?

  Alan DeKok.

More information about the Freeradius-Users mailing list