Re: Question about sending VLAN attributes to Access Points
On Tue, Sep 21, 2010 at 12:41:08PM +0100, Alan Buxey wrote:
Hi,
is it possible to send attributes based on the used SSID?
yes. as that can be gained from RADIUS attributes sent to the
RADIUS server . where you do them, and how you do them - ie unlang,
users, SQL huntgroups etc etc is down to you
What I needed:
DEFAULT Auth-Type = ntlm_auth
Exec-Program-Wait = /usr/local/sbin/radius-vlan-attribute.pl %{User-Name}
%{Called-Station-Id}
Now I am able to ask various Active Directory servers by using
Net::LDAPS. This enables me to put the following parameters into
relation:
- DOMAIN
- username
- SSID
And it makes me more flexible when I have to deal with complex Active
Directory forest structures. The script returns something like
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 1234
or nothing at all.
So long,
Aiko
--
:wq ✉
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about sending VLAN attributes to Access Points
Aiko Barz a...@chroot.de wrote: Now I am able to ask various Active Directory servers by using Net::LDAPS. This enables me to put the following parameters into relation: - DOMAIN - username - SSID And it makes me more flexible when I have to deal with complex Active Directory forest structures. The script returns something like Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 1234 or nothing at all. You could do that, or do like the rest of us do and use rlm_ldap with some unlang... Cheers -- Alexander Clouter .sigmonster says: You will probably marry after a very brief courtship. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about sending VLAN attributes to Access Points
Hello, is it possible to send attributes based on the used SSID? Setup: SSID_X - Access Point - Freeradius - ntlm_auth - Active Directory So, if an user enters SSID_X, Freeradius puts him into VLAN1234. If the same person enters SSID_Y, he shall stay in the default VLAN1000. (Both SSIDs use 802.1X against the same Freeradius Server. There has to be only one radius server.) I also discovered a hack to get a similar behavior. For example: DOMAIN\user Auth-Type = ntlm_auth Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 1234 If the user uses DOMAIN\user as username, he enters VLAN1234. Using domain\user makes him stay within the default VLAN1000, because domain\user does not match the users configuration. The Active Directory does not care about big and small letters and allows both usernames. But still, is it possible to send attributes based on the used SSID? So long, Aiko -- :wq ✉ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
