Freeradius LDAP VLAN default profile

Michael Schwartzkopff ms at sys4.de
Sun Jul 4 10:54:21 CEST 2021


On 03.07.21 23:14, Yann Verry via Freeradius-Users wrote:
> Dear list,
>
> My first time I write on the mailing-list.
> I hope not boring or not already answered thousand of times.
>
> I would like to setup a classical radius with rlm_ldap authentication
> module.
> The auth works as expected when I add attribute on the user side OR in
> profile section with the default value.


LDAP should not be used for authentication but for authorization.
FreeRADIUS can do the authentication better than the backend LDAP.


>
> My question is, how I can handle vlan with group dynamicaly. I seen
> some response/thread that put each group in post-auth {}.


You have to cache the LDAP-Group attribute and use this attribute later
in processing to assign the correct VLAN. Perhaps you can get the idea
from my blog. It is not exactly about assigning VLAN IDs, but I use the
LDAP-Group to assign the CLass attribute.

https://blog.sys4.de/strongswan-vpn-based-on-groups-en.html


> But I would like to have all information / matching from LDAP directly
> not in config file.

Yes, you cannot use the ldap config file from RADIUS since this is only
responisble for retrieving the info from LDAP server. Assingning the
VLAN attribute has to be done later in processing.


>
> Do you have some input / docs to do this ?
>
> My current setup:
>
>
Michael


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Freeradius-Users mailing list