Jacob Jarick wrote:
> * school with wireless access
> * allready uses radius (soon to be freeradius)
> * freeradius auth's via a win2k3 Active Directory Server
> * teachers need to be able to log into WAP's a,b,c etc and be
> automatically assigned to the teachers vlan
> * priv students need to be able to log into WAP's a,b,c and be
> assigned to the priv student vlan
> * norm students simply need to have network access denied from WAP's a,b,c
>
>
>>From what Ive learnt so far today, I need to configure the radius.conf
> to retrieve the users group from the ADS and then return auth and map
> group -> vlan / tunnel ID.
Yes. You should be able to do that via the LDAP-Group attribute. In
the "users" file, do:
DEFAULT LDAP-Group == "norm-students", NAS-IP-Address == a, Auth-Type :=
Reject
DEFAULT LDAP-Group == "norm-students", NAS-IP-Address == b, Auth-Type :=
Reject
DEFAULT LDAP-Group == "norm-students", NAS-IP-Address == c, Auth-Type :=
Reject
DEFAULT LDAP-Group == "priv-students"
... assign VLAN (see NAS documentation for what attributes)
DEFAULT LDAP-Group == "teacher"
... assign VLAN (see NAS documentation for what attributes)
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
