Jacob Jarick wrote:
> * school with wireless access
> * allready uses radius (soon to be freeradius)
> * freeradius auth's via a win2k3 Active Directory Server
> * teachers need to be able to log into WAP's a,b,c etc and be
> automatically assigned to the teachers vlan
> * priv students need to be able to log into WAP's a,b,c and be
> assigned to the priv student vlan
> * norm students simply need to have network access denied from WAP's a,b,c
> 
> 
>>From what Ive learnt so far today, I need to configure the radius.conf
> to retrieve the users group from the ADS and then return auth and map
> group -> vlan / tunnel ID.

  Yes.  You should be able to do that via the LDAP-Group attribute.  In
the "users" file, do:

DEFAULT LDAP-Group == "norm-students", NAS-IP-Address == a, Auth-Type :=
Reject

DEFAULT LDAP-Group == "norm-students", NAS-IP-Address == b, Auth-Type :=
Reject

DEFAULT LDAP-Group == "norm-students", NAS-IP-Address == c, Auth-Type :=
Reject

DEFAULT LDAP-Group == "priv-students"
        ... assign VLAN (see NAS documentation for what attributes)

DEFAULT LDAP-Group == "teacher"
        ... assign VLAN (see NAS documentation for what attributes)

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to