My Ldap base contains attributes SSID for each users. Because my NAS
sends its vendor-specific containing the SSID where wants to connect the
users. And at each request for authentification, the module authorize
(radiusd.conf) call Ldap (with the filter) to compare the `uid' and
`SSID'. If the SSID sent by the NAS corresponds at the SSID stored in
Ldap: freeradius sends ‘accept’, if not it sends a ‘reject’.
But you want that it is the switch Cisco which redirects the user in
such or such SSID according to SSID'S corresponding to the attributes
Tunnel-Medium-Type, Tunnel-Private-Group-Id, Tunnel-Type.?
My solution is similar to yours, but I haven't SSID attributes for each
users. I use the replyItem to redirect the user connection to the
correct VLAN. But if the replyItem works, why I can't do a check of one
attribute with the checkItem? what is wrong in my configuration?
For example, if I use the user file authentication without ldap with
this users:
test2 Cisco-AVPair == "ssid=VLAN2", User-Password == "passwd2"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 2,
Tunnel-Type = VLAN
test3 User-Password == "passwd3"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 3,
Tunnel-Type = VLAN
test2 can connect to vlan2 only with ssid=VLAN2.
test3 can connect to vlan3 with any ssid.
This configuration works ed I want the same using only ldap module
without user file.
I hope that my explanation is clear.
Bye Antonio
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
