t...@kalik.net a écrit : >> I try to ask my questions more precisely: >> * what are the radius ldap attributes meant for? Is only for accounting >> or can we use them for something else? >> > > They can be used for authorization as well. You put them in your > Access-Accept packet (reply) and if your switch supports those attributes > it does certain things (assigns VLANs, sets various timeouts, restricts > bandwidth etc.). > > >> * I have understood that it is better to put the user directly in the >> correct VLAN rather than checking his request and deny him: do I have to >> do something special in Radius to forward LDAP attributes info to the >> switch? >> ( I am reading again the switch's documentation to figure how to parse >> the attributes instead of using static vlans) >> >> > > Ah, you should of done that first. Many vendors advertize "dynamic VLAN > assignment" but when you read through the documentation it turns out that > the assignment is static and that only thing "dynamic" about them is that > you can change them via a console. Make sure first that your switch > supports dynamic VLAN assignment via radius. > > Ivan Kalik > Kalik Informatika ISP > > Thanks for your help.
I have check the switch manual and it says it's possible to assign VLANs using the radius accept-accept message. Apparently, it's the first ting it should do, then it checks it's own auth policy (if present) or it puts the user in the default untagged VLAN setup on that port. I can quote parts of the manual if you need. I have configured the ldap VLANiD attribute as a replyItem and I see it the ldap section in debug mode. However, it is not present in the accept-accept message at the end of the debug so the switch stays in "default" VLAN. I am now trying to figure how to have the replyItem in my accept-accept message. Best Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html