LDAP Group assign to vlan after AD user authentication

Arnaud Loonstra arnaud at z25.org
Mon Jan 23 14:48:51 CET 2012

On 01/19/2012 11:25 AM, James wrote:
> Hi,
> I've successfully set up a radius server to support 802.1x
> authentication using peap mschapv2 and samba to authenticate users
> against AD.
> To do this I followed configuration on the freeradius.org website and
> the AD integration howto on deployingradius.com, thank you very much
> for writing these!
> I now need to assign the vlan due to membership of some group in AD
> and I understand that an ldap lookup is needed.
> Where in the configuration do I check this group and map it to a vlan?
> Can I do it as a default entry in the users file or is it needed
> somewhere else?
> Thank you very much,
> James

Hi James,

I don't know anything about AD and I presume you are using the latest FR.

I'm currently testing an ldap-group check in authorize using unlang:

This is part of a switch statement:

case 'NAS-Prompt-User' {
  #Check if user is member of a certain group
   if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
     update reply {
       Service-Type := "Administrative-User"
   #else DENY
   else {
     update control {
       Auth-Type := reject

But I reckon you could also do something like that in post-auth section

if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
   update reply {
     Tunnel-type = VLAN
     Tunnel-medium-type = IEEE-802
     Tunnel-Private-Group-Id = 1

This works for me :) it might as well for AD.



Stichting z25.org
Concordiastraat 67A
3551 EM Utrecht
The Netherlands

More information about the Freeradius-Users mailing list