VLAN Assignment with RADIUS

Sat Dec 24 17:38:25 CET 2016

On 23/12/2016 13:18, Valentin Heidelberger wrote:
> Now I am just wondering where exactly I would have to put that one
> config, which was suggested:
In your authorize section. Cleanest approach would be to write a policy 
section in a file under policy.d, and then invoke that from within your 
authorize { ... } section in the main server.

(Aside: I've tried doing policy in the 'authenticate' or 'post-auth' 
section but I had some issue to do with the configurable failover 
behaviour. I'd have to dig out the details of exactly why it behaved 
strangely. But putting stuff in the 'authorize' section is straightforward).
> Besides I am wondering, if someone has ever tried to do this via LDAP?
> Is Radius capable of using a LDAP attribute to match a VLAN to a user
> logging in.

Sure. The exact details will depend on your network setup. Here's a 
starting point:

group_authorization {
   if (&Huntgroup-Name == "wifi") {
     if (&Called-Station-Id =~ /:SSID Student$/ && ( &LDAP-Group[*] == 
"cn=students,cn=groups,cn=accounts,dc=example,dc=com" || &LDAP-Group[*] 
== "cn=staff,cn=groups,cn=accounts,dc=example,dc=com")) {
       ok
     }
     elsif (&Called-Station-Id =~ /:SSID Staff$/ && &LDAP-Group[*] == 
"cn=staff,cn=groups,cn=accounts,dc=example,dc=com") {
       ok
     }
     else {
       update {
         &reply:Reply-Message := "Not authorized for wifi"
       }
       reject
     }
   }
}

Then in your main server something like:

authorize {

     ...

     ldap

     group_authorization

}