Microsoft AD group check
Marek Smoliński
marksmol at o2.pl
Sun Jan 12 16:37:48 CET 2020
Hi,
I want to implement 802.1x. The computers belonging to Microsoft domey will be authenticated. The switch port will be configured in VLAN according to the computer's group membership. Simple configuration. Works well ;) FreeRadius 3.0.19
Question: due to AD complexity, is it possible to assign the same VLAN to computers from different groups?
Currently I'm doing it as follows: in post-auth
if (Ldap-Group == VLAN16_SIEO1) {
update reply {
...
}
}
I want to allocate the same VLAN to groups such as VLAN16_BSTO1 and VLAN16_ADMCE1 and others starting with VLAN16_. Is it possible to check the group name so as not to create many "if" conditions? In my case these conditions will be about 800 :)
if I change the „if” condition
if (Ldap-Group[*] =~ /.*VLAN16_.*/) {
update reply {
...
}
}
I've got the result:
Debug: (10) User is not a member of "VLAN129"
Debug: (10) elsif (LDAP-Group == VLAN129) -> FALSE
Debug: (10) elsif (LDAP-Group[*] =~ /.*VLAN16_.*/) {
Debug: No old matches
Debug: (10) elsif (LDAP-Group[*] =~ /.*VLAN16_.*/) -> FALSE
Debug: (10) elsif (LDAP-Group == VLAN131) {
Debug: (10) Searching for user in group "VLAN131"
anyone can help me, tell me how to config can solve this problem, thanks.
regards
Marek Smoliński
More information about the Freeradius-Users
mailing list