Hi, I had implemented the idea given by Phil for authorizing the users of Active directory to use VPN or Wifi or whatever for which they are for depending upon the value of Active directory's "extensionAttribute10" attribute as:
## /usr/local/etc/raddb/modules/ldap: filter = "(&(extensionAttribute10=%{control:Tmp-String-0})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" I have used extensionAttribute10 for storing values as VPN,wifi depending upon the users. ## /usr/local/etc/raddb/sites-enabled/default ## I tried using Called-Station-Id to check the condition; which is ok for now for testing ; but which I guess is not feasible if there are thousands of NAS devices. I don't know what would be best test condition for this. authorize { ... if (Called-Station-Id == .......) { update control { Tmp-String-0 := VPN } } else { update control { Tmp-String-0 := Wifi } } ldap if (notfound) { reject } ... } And also, I have implemented the idea of returning filter-id for the users of Active directory looking at "OU" of domain as: ldap if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) update control { Tmp-String-1 := "%{1}" } And returning the value of Filter-Id through users file as: DEFAULT Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}" But now I am facing the problem that I can't use more than one If conditions inside unlang to test the conditions inside Ldap module. (If I am correct on my understanding) And, also using the filter defined as above inside Ldap module some user of active directory which doesn't have extensionAttribute10 might get rejected. These users should get default acceptance; but should be granted to access VPN, or wifi if value is assigned to them on extensionAttribute10. If don't have attribute defined still get accepted as default user. If I just use: filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" This allows all the users in Active Directory get accepted (doesn't reject if there is no extensionAttribute10 also); But how to get the goal of granting the authorization for VPN, wifi users accordingly if I use this? Is there any easy way to check condition for the particular attribute of active directory? And I don't know where to check this, If I am already using If conditional statement for returning the Filter-Id inside Ldap module. In my understanding; people use to check this type of condition for the users that are defined in "users" file as; bob User-Password == "testing", Connection-Type := "VPN" But I am not sure how to check like this eventhough If I define in ldap.attrmap as: checkItem Connection-Type extensionAttribute10 I don't know; whether I am confused or I am not getting how to achieve this. Your valuable idea would be really appreciated. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5433010.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html