How to add VAP based on LDAP group membership
Thomas Stather
Thomas.Stather at mpimf-heidelberg.mpg.de
Thu Jan 14 16:04:15 CET 2016
Hi
I have a RADIUS setup (eduroam) where the users are authenticated
against LDAP (mod_ldap, not ntlm_auth) for our own domain. All other
users are proxied to a RadSec proxy.
This works fine, but now we need the possibility to replace the
Aruba-User-VLAN VAP with a different VLAN ID, if some users from our
domain can be found in a special LDAP group (i.e. cn=testgroup). If not,
the users should get assigned the Aruba-User-VLAN VAP 31.
What do i have to change in my setup in order to make this work?
In my /etc/raddb/sites-enabled/testsite i have:
...
post-auth {
#reply_log
#redundant_ldap
#exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
### enable debug logging from here on
#update control {
# Tmp-String-0 = "%{debug:2}"
#}
if (Realm == "testdomain.de") {
update reply {
Aruba-User-Vlan = "31"
}
}
}
Best,
Thomas
...
--
Thomas Stather
IT Services
Tel: +49 6221-486 628
Fax: +49 6221-486 561
------------------------------------------------------------------------
Max Planck Institute for Medical Research (MPImF)
Jahnstrasse 29, 69120 Heidelberg
Germany
More information about the Freeradius-Users
mailing list