How to add VAP based on LDAP group membership

Alan DeKok aland at
Thu Jan 14 16:25:16 CET 2016

On Jan 14, 2016, at 10:04 AM, Thomas Stather <Thomas.Stather at> wrote:
> I have a RADIUS setup (eduroam) where the users are authenticated against LDAP (mod_ldap, not ntlm_auth) for our own domain. All other users are proxied to a RadSec proxy.
> This works fine, but now we need the possibility to  replace the Aruba-User-VLAN VAP with a different VLAN ID, if some users from our domain can be found in a special LDAP group (i.e. cn=testgroup). If not, the users should get assigned the Aruba-User-VLAN VAP 31.
> What do i have to change in my setup in order to make this work?

 Write down the rules in procedural form.  Then translate them to unlang.

	if (my realm) {
		if (ldap group == test group ) {
			VLAN VAP 31
		else {

  It's really that simple.

  Alan DeKok.

More information about the Freeradius-Users mailing list