On 01/19/2012 11:25 AM, James wrote:
Hi,
I've successfully set up a radius server to support 802.1x
authentication using peap mschapv2 and samba to authenticate users
against AD.
To do this I followed configuration on the freeradius.org website and
the AD integration howto on deployingradius.com, thank you very much
for writing these!
I now need to assign the vlan due to membership of some group in AD
and I understand that an ldap lookup is needed.
Where in the configuration do I check this group and map it to a vlan?
Can I do it as a default entry in the users file or is it needed
somewhere else?
Thank you very much,
James
Hi James,
I don't know anything about AD and I presume you are using the latest FR.
I'm currently testing an ldap-group check in authorize using unlang:
This is part of a switch statement:
case 'NAS-Prompt-User' {
my-ldap
#Check if user is member of a certain group
if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
update reply {
Service-Type := "Administrative-User"
}
}
#else DENY
else {
update control {
Auth-Type := reject
}
}
}
But I reckon you could also do something like that in post-auth section
if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
This works for me :) it might as well for AD.
Rg,
Arnaud
--
Stichting z25.org
Concordiastraat 67A
3551 EM Utrecht
The Netherlands
+31-(0)6-41861063
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html