On 14/09/10 16:30, mat...@crs4.it wrote:
Hello,
I'm using Freeradius 2.1.8 on Fedora 13 with EAP-TTL and PAP with
inner authentication with OpenLDAP as backend. Everything is working
fine, but the problem is that I haven't an OpenLDAP "Radius oriented",
that is there is no VLAN info in my LDIFs. So, is there a way,
external to the authentication process, to pass the vlan tag to the
clients so that the ports they're
attached to might join the correct vlan?
You can run SQL queries or scripts in your radius config, after the LDAP
has run, or use any freeradius modules e.g. rlm_passwd which implements
a simple key/value lookup:
For example you could have in sites-enabled/inner-tunnel:
post-auth {
update control {
Tmp-String-0 = "%{exec:/path/to/script %{Calling-Station-Id}}"
}
if (control:Tmp-String-0) {
update reply {
Tunnel-Private-Group-Id := "%{control:Tmp-String-0}"
}
}
}
...obviously it's up to you to write the correct policy, depending on
where you've got the data stored. We use a relatively complex SQL stored
procedure for example, to give location-specific VLAN numbers based on
the machines known groups & registered IP addresses.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
