Microsoft AD group check

Marek Smoliński marksmol at
Sun Jan 12 16:37:48 CET 2020


I want to implement 802.1x. The computers belonging to Microsoft domey will be authenticated. The switch port will be configured in VLAN according to the computer's group membership. Simple configuration. Works well ;) FreeRadius 3.0.19

Question: due to AD complexity, is it possible to assign the same VLAN to computers from different groups?
Currently I'm doing it as follows: in post-auth
if (Ldap-Group == VLAN16_SIEO1) {
    update reply {
I want to allocate the same VLAN to groups such as VLAN16_BSTO1 and VLAN16_ADMCE1 and others starting with VLAN16_.  Is it possible to check the group name so as not to create many "if" conditions? In my case these conditions will be about 800 :)
if I change the „if” condition 
if (Ldap-Group[*] =~ /.*VLAN16_.*/) {
    update reply {

I've got the result:
Debug: (10)       User is not a member of "VLAN129"
Debug: (10)       elsif (LDAP-Group == VLAN129)  -> FALSE
Debug: (10)       elsif (LDAP-Group[*] =~ /.*VLAN16_.*/) {
Debug: No old matches
Debug: (10)       elsif (LDAP-Group[*] =~ /.*VLAN16_.*/)  -> FALSE
Debug: (10)       elsif (LDAP-Group == VLAN131) {
Debug: (10)       Searching for user in group "VLAN131"

anyone can help me, tell me how to config can solve this problem, thanks.

Marek Smoliński

More information about the Freeradius-Users mailing list