How to add VAP based on LDAP group membership

Thomas Stather Thomas.Stather at
Thu Jan 14 16:04:15 CET 2016


I have a RADIUS setup (eduroam) where the users are authenticated 
against LDAP (mod_ldap, not ntlm_auth) for our own domain. All other 
users are proxied to a RadSec proxy.
This works fine, but now we need the possibility to  replace the 
Aruba-User-VLAN VAP with a different VLAN ID, if some users from our 
domain can be found in a special LDAP group (i.e. cn=testgroup). If not, 
the users should get assigned the Aruba-User-VLAN VAP 31.

What do i have to change in my setup in order to make this work?

In my /etc/raddb/sites-enabled/testsite i have:
post-auth {
         Post-Auth-Type REJECT {
### enable debug logging from here on
    #update control {
    #   Tmp-String-0 = "%{debug:2}"
    if (Realm == "") {
       update reply {
          Aruba-User-Vlan = "31"




Thomas Stather
IT Services

Tel:  +49 6221-486 628
Fax: +49 6221-486 561

Max Planck Institute for Medical Research (MPImF)
Jahnstrasse 29, 69120 Heidelberg

More information about the Freeradius-Users mailing list