Hi all!
I have 802.1x authentication, which works.
I want use dynamic vlan assignment:
The radius authenticate the user (use ntlm_auth)
and after this, it use ldap to get user indormation form database
(username=samaccount name).
ldap.attrmap changes the attributes and send to the switch, it is okay.
It is not so confortable, I wanna try something else:
1. I create groups: vlan21, vlan333, and so on. expand the vlan schema
with 3 attrib (you know VLAN, IEEE-802, and VLANID). I put users and
computers to the groups.
How can I get users vlan info, I can't create ldap query, cos :
- i have samaccount name what is not the cn, and the "member", "member
of" attribs are contains cn.
i don't know how can i do a good query, the good attrib is in vlanXY group.
- get vlan? ok but i have just samaccount name, no cn
- get user? ok but the good attribs is in the vlan group
how?
2. I don't expand the vlanXY schema, I get user info(by samaccname)
contains "member of" attr, and in the freeradius user file I create
group. If group in the users file equals "member of" attrib send back
the vlan info to the switch:
(i know it is not good yet)
DEFAULT Ldap-Group == "cn=vlan10,ou=vlans,dc=test,dc=hu"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 10,
Reply-Message = "You are in vlan 10"
ldap modul:
groupname_attribute = cn
groupmembership_filter =
"(&(memberof=cn=vlan10,ou=vlans,dc=test,dc=hu)(samaccountname=%{mschap:user-name}))"
## i know it is bad, but what is the good
do you understand what i want?
I test both prospect, pls help
Thx Gabor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
