VLAN ID based on VSAs
Phil Mayers
p.mayers at imperial.ac.uk
Mon Mar 5 11:58:13 CET 2012
On 05/03/12 09:38, Stefano Zanmarchi wrote:
> Hi,
> my first post here, a newbie question, thanks for your help.
> I'm going to set up two freeradius servers (2.1.7 on RHEL 5.5).
> ServerB will be connected to an AP and I want it to proxy all EAP
> requests to serverA (TTLS-PAP
> will be the only method accepted) which will do authentication using
> an OpenLDAP backend.
Ok. That's a weird config, but ok.
> My question:
> I'd like to configure serverA to include in the Access-Accept packet
> some AVPs which are specific
> to my Organization, like department_name, employee_role (I believe
> these are the so called VSAs),
> and I'd like serverB to perform some if-then-else logic on these VSAs
> to dinamically calculate the
> VLAN-ID to return to the AP.
> Is this possible (in a simple way)? Is it a common set up?
It's not common.
It is pretty easy though; on serverB do something like this:
post-proxy {
...
# Ensure this filter permits "Some-Attr"
attr_filter.name
}
post-auth {
if (reply:Some-Attr == ...) {
update reply {
My-Vlan := 123
}
}
}
See the sample config for more details on the attr_filter module, and
"man unlang" for more info on processing.
More information about the Freeradius-Users
mailing list