I'm trying to add a user to a vlan based on an ldap attribute. I've checked
out: http://vuksan.com/linux/dot1x/802-1x-LDAP.html annd saw the following
would have to be added to the user's ldap record:
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusTunnelPrivateGroupId: 2
Yes that's usually the syntax, but it might depend on you switch/AP, so
check the docs of your device.
If I don't want to actually insert that into the LDAP database, is it
possible for Radius to figure out which vlan to assign to based on some
other already existing LDAP attribute?
One way to do that is to use LDAP groups. If your users are in
dedicated LDAP groups, then a rule like the following in your "users"
file will do the trick:
DEFAULT Huntgroup-Name == myAP, Ldap-Group == Engineering
User-Name=`%{User-Name}`,
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusTunnelPrivateGroupId: 2
Fall-Through = no
For example, if I want to assign
users whose userDepartment attribute equals ITS into vlan 3 and those who's
userDepartment attribute equals HR into vlan 4? If so, could you give me a
link to how to do that, or explain briefly?
Ldap-Groups can be "true ldap groups" such as groupOfNames entries.
However, you may also want to map LDAP-Groups to the value of an
attribute inside the user's entry.
See the groupmembership_attribute in the ldap configuration section
# groupmembership_attribute: The attribute in the user entry that states
# the group the user belongs to.
Refer to the docs/rlm_ldap for more information
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
