MAC auth with LDAP
Alan DeKok
aland at deployingradius.com
Fri Nov 16 23:58:39 CET 2018
On Nov 16, 2018, at 5:13 PM, Victor Cenac <victor at fuller.edu> wrote:
> I have a Juniper network where we assign devices to vlans based on their
> MAC. The MACS are stored in an LDAP with the MAC as username and password.
> The group membership is what distinguishes the vlan needed.
That should be simple enough,
> I managed to configure the ldap and enable the ldap module. FreeRADIUS
> starts fine with it. I also added all the switches as clients.
OK.
> I need help figuring out:
> 1. Where do I tell FreeRADIUS to look for users in ldap (vs the users file)?
raddb/sites-enabled/default
Look for "ldap". And, raddb/mods-available/ldap
See also http://wiki.freeradius.org/. Search for "ldap". It has lots of documentations.
> 2. Where do I match the group in ldap with the vlan number that needs to be
> sent to the client (switch)? For example, for group Staff value is 10 (vlan
> 10).
You don't map LDAP names directly to VLANs. They might be "sales", and you can't use "sales" as a VLAN number.
Instead, do this:
if (LDAP-Group == "staff") {
update reply {
Tunnel Type = VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := 10
}
}
Alan DeKok.
More information about the Freeradius-Users
mailing list