> > 1. Can we somehow limit a host to connect to only a particular port/NAS > device based on data stored in LDAP attributes (or, respectively, in > flat files) and reject it otherwise?
Yes. See ldap_xlat http://wiki.freeradius.org/modules/Rlm_ldap Use a query that searches for the value of NAS-IP-Address in the user object in a custom attribute. If the query expands to something other than a zero length string, the attribute exists. authorize { if ("%{ldap:<query>}" == '') { reject } } > 2. Can we assign the client to a particular VLAN based on data stored > in LDAP attributes (or, respectively, in flat files)? Yes, using ldap.attrmap map an LDAP attribute to Tunnel-Private-Group-ID. You also need to return Tunnel-Type and Tunnel-Medium-Type but they can be static one you know you're assigning a VLAN. http://wiki.freeradius.org/vendor/HP#RFC-3580-(single-untagged-VLAN)-Assignment > 3. Can we configure in FreeRadius an auto email to an administrator > when there is a MAC-auth failure with the associated info (time, MAC > Address, NAS device, port)? Yes, use rlm_exec in async mode and call sendmail or something similar. Arran Cudbard-Bell <a.cudba...@freeradius.org> FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html