Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: > On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff > > <mi...@multinet.de> wrote: > > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: > >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff > >> > >> <mi...@multinet.de> wrote: > >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: > >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff > >> >> > >> >> <mi...@multinet.de> wrote: > >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: > >> >> >> I have a working radius server (ver 1.1.3). which I am using for > >> >> >> 802.1x authentication of wired switch ports. I would like to > >> >> >> dynamically assign users vlans. I have cisco gear and have > >> >> >> achieved basic vlan allocation by configuring a Default entry in > >> >> >> the users file. So the vlan allocation part works ok. > >> >> >> > >> >> >> What I want to be able to do is allocate the vlan by matching the > >> >> >> value of an LDAP attribute. Not by group membership, but the > >> >> >> actual value of a users attribute. Is this possible? > >> >> >> > >> >> >> Cheers, > >> >> >> Dealy > >> >> > > >> >> > Yes. Just assign these attributes to the user object in LDAP. > >> >> > >> >> I have a value set for an attribute in LDAP, how do I "extract" the > >> >> value from the attribute and do a comparison on it in the users file > >> >> so I can set the VLAN? > >> > > >> > Hi, > >> > > >> > I don't remember exactly what I did on version 1. Please see: > >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html > >> > for some hints. > >> > > >> > I had something like > >> > > >> > DEFAULT Auth-Type .= LDAP > >> > Reply-Message = "Auth by LADP" > >> > > >> > in my users file. Other attributes stored in an object of objectClass > >> > radiusprofile should be added automatically to the Reply attributes. > >> > >> I don't actually want to add radiusprofile attributes to my LDAP. The > >> users already have an attribute which identifies their department. I > >> want to be able to say if "department attribute = X then allocate VLAN > >> Y". Can this be done without specifically setting the vlan etc as > >> radiusprofile attributes. Also I am not using ldap for the > >> authentication, just authorization. The authentication is done using > >> ntlm_auth. > > > > Then you would habe to re-map some LDAP-attribute of your objectClass to > > Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and > > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the > > users file. > > > > Please see the ldap.attrmap in your raddb dir for the mapping of > > attributes. > > Am I correct in saying that the LDAP-attribute that is mapped to > Tunnel-Private-Group-ID would need to be set to the value of the the > VLAN I require? The LDAP-attribute that I wish to use curently > contains values like "ITISCP" and "ENISCP". I want to say if > attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID > = 226). Using ldap.attrmap mappings I would need to store the > required vlan in a LDAP attribute. (I can't change the LDAP only read > it). > > Cheers > > > Greetings, > > > > -- > > Dr. Michael Schwartzkopff > > MultiNET Services GmbH > > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany > > Tel: +49 - 89 - 45 69 11 0 > > Fax: +49 - 89 - 45 69 11 21 > > mob: +49 - 174 - 343 28 75 > > > > mail: mi...@multinet.de > > web: www.multinet.de > > > > Sitz der Gesellschaft: 85630 Grasbrunn > > Registergericht: Amtsgericht München HRB 114375 > > Geschäftsführer: Günter Jurgeneit, Hubert Martens > > > > --- > > > > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B > > Skype: misch42 > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
See also: http://www.linux-magazine.com/issue/52/Freeradius_802.1X.pdf -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html