On 20 Jun 2013, at 13:25, Thomas Hermarij Maimann Andersen wrote:
> Hi,
>
> I've been reading the mailing list for a few days and tried to see if there
> are any posts resempling mine. There are a few "almost" but noting that has
> got me that final step.
>
> Currently i have a radius server
Hi,
I've been reading the mailing list for a few days and tried to see if there are
any posts resempling mine. There are a few "almost" but noting that has got me
that final step.
Currently i have a radius server authenticating with ntlm to an AD.
What I wan't now, is to assign a VLAN to the us
>
> or...
>
> update [] {
> ...
> }
>
> update reply {
> config:Auth-Type = Reject
> Reply-Message = "Go away"
> }
That one gets my vote.
update {
}
defaults to request.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil Mayers wrote:
> +1
>
> Personally I'd rather the latter format everywhere, even unlang:
>
> update {
> request:foo = 1
> }
Yeah. That shouldn't be hard. Maybe I can look at it in 2 weeks,
after IETF.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
On Tue, Oct 30, 2012 at 07:02:02PM +, Phil Mayers wrote:
> +1
>
> Personally I'd rather the latter format everywhere, even unlang:
>
> update {
> request:foo = 1
> }
Agreed - having that option would make things much tidier when
several things in different lists are being updated at once.
+1
Personally I'd rather the latter format everywhere, even unlang:
update {
request:foo = 1
}
John Dennis wrote:
>
>What I'd like to see is the individual modules converging on common
>behavior so there is a consistent model.
>
>I suspect a number of the modules were written independently
>
>> If rlm_rest and rlm_cache have attribute models that are elegant and well
>> thought out then let's move everything to that model. On the other hand if
>> ulang is conceptually cleaner then lets move rlm_rest and rlm_cache to a
>> ulang solution. Pick one idea and make everything follow th
On 30 Oct 2012, at 13:00, John Dennis wrote:
> On 10/30/2012 06:38 AM, Arran Cudbard-Bell wrote:
>> Quick poll.
>>
>> For 3.0 the ldap module will be moving away from using the
>> ldap.attrmap file and instead use a config based mapping.
>>
>> There are a few ways we are considering for organi
On 10/30/2012 06:38 AM, Arran Cudbard-Bell wrote:
Quick poll.
For 3.0 the ldap module will be moving away from using the
ldap.attrmap file and instead use a config based mapping.
There are a few ways we are considering for organising the mapping.
We can use something like the existing unlang:
I pull out only the attributes I need and change ldap.attrmap to match my
schema. Personally, I can live with either config method.
Arran Cudbard-Bell wrote:
>Quick poll.
>
>For 3.0 the ldap module will be moving away from using the ldap.attrmap file
>and instead use a config based mapping.
>
Quick poll.
For 3.0 the ldap module will be moving away from using the ldap.attrmap file
and instead use a config based mapping.
There are a few ways we are considering for organising the mapping.
We can use something like the existing unlang:
update control {
Cleartext-Password := use
Thanks again, you pointed out a very important issue.
I'll definitively apply one of the two suggested methods to check if
the attribute is present before allowing a user access.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 20/09/12 13:35, Gregg Douglas wrote:
With this reject command in the authorize section is there a method to
supply a custom reply message?
Sure.
if (...) {
update reply {
Reply-Message = "whatever you want"
}
reject
}
This is pretty basic use. I think people should be able to
Thank you very much Phil!
exactly what I needed, very well explained.
I just did it the other way round "if (reply:Eduroam-Enabled == "N")
{ reject }"
and it's working fine.
Have a nice day,
Stefano
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 19/09/12 17:03, Stefano Zanmarchi wrote:
Hallo,
I've configured freeradius to authenticate users with PEAP, using
openldap to store NTLM hashes. It works fine.
Now I'd like to authorize only people who have the ldap attribute
"haDirittoEduroam" set to Y
(or the oth
Hallo,
I've configured freeradius to authenticate users with PEAP, using
openldap to store NTLM hashes. It works fine.
Now I'd like to authorize only people who have the ldap attribute
"haDirittoEduroam" set to Y
(or the other way round: not to authorize users with
"h
Hello,
i want to get different attribute from ldap. Something like "cn".
Is this possible and where must be set it?
Mit freundlichen Grüßen
David Sandmann
***
Fachinformatiker für Systemintegration
Ernst-Moritz-Arndt-Universität
Rechenzentrum
Felix-Hausdorff-
On 17/05/12 16:07, Luo, Frank Y.F. Mr. wrote:
thanks for reply. Here is the output of radiusd -X. It seems that
ldap module did not query for the VPN attribute after the successful
authentication
Correct. Check the data is present in your LDAP directory, and that it
is visible to the bind DN y
thanks for reply. Here is the output of radiusd -X. It seems that ldap module
did not query for the VPN attribute after the successful authentication
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICU
On 17/05/12 14:56, Luo, Frank Y.F. Mr. wrote:
post-auth {
if (Profile == g1) {
This is wrong.
I also tried
If (reply:Profile == g1)
This should work.
Any idea?
Post a full debug with "radiusd -X". Maybe in a new thread.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
Frank
On May 17, 2012, at 3:58 AM, C.F. Yeung wrote:
Thanks, it's working.
On Thu, May 17, 2012 at 3:22 PM, Phil Mayers
mailto:p.may...@imperial.ac.uk>> wrote:
On 05/17/2012 06:54 AM, C.F. Yeung wrote:
We have 802.1x authentication via AD. It's okay. Now, we would like to
reje
Thanks, it's working.
On Thu, May 17, 2012 at 3:22 PM, Phil Mayers wrote:
> On 05/17/2012 06:54 AM, C.F. Yeung wrote:
>
>> We have 802.1x authentication via AD. It's okay. Now, we would like to
>> reject users based on LDAP attribute, WLANStatus. Added attribute in
&g
On 05/17/2012 06:54 AM, C.F. Yeung wrote:
We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?
/etc/raddb/dictionary
ATTRIBUTE My-
We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?
/etc/raddb/dictionary
ATTRIBUTE My-Local-wlanStatus 3000string
On 11/05/12 20:25, Mike wrote:
Phil,
I meant to say proxy-request, not proxy-reply.
Ah, ok.
Secondly, why would you need a log file to show an attribute
expanding to nothing? I just told you it is expanding to nothing aka
it has no assigned value once reaching the pre-proxy stage.
Becaus
Hi,
> Secondly, why would you need a log file to show an attribute expanding to
> nothing? I just told you it is expanding to nothing aka it has no assigned
> value once reaching the pre-proxy stage.
as per the mailing list information, no radiusd -X, no help
alan
-
List info/subscribe/unsubsc
012 18:07:40 +0100
> From: Phil Mayers
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Ldap attribute in pre-proxy possible?
> Message-ID: <4fad475c.7090...@imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 11/05/12 16:39
On 11/05/12 16:39, Mike wrote:
Hello,
Is it possible store and access an ldap attribute in pre-proxy? 1.
Attribute defined in dictionary 2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy { If (%{reply:attributename} == "cookies" { update
proxy-reply { Whatever
Hello,
Is it possible store and access an ldap attribute in pre-proxy?
1. Attribute defined in dictionary
2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy {
If (%{reply:attributename} == "cookies" {
update proxy-reply {
Whatever = "cookies"
}}
}
Adam Track wrote:
> I'd also like to add, although I'm probably going to have my head
> chopped off, that I did read the file.. many times in the past, several
> times today in fact, but unfortunately my brain did not interpret the
> operator description to mean that one need add += for multi-value
> No. The default operator for the LDAP attribute mapping is '='. If
> you want '+=', edit ldap.attrmap.
>
> This has been in ldap.attrmap, *and* documented there since 2004. If
> you're editing the file to add "personType", the PLEASE READ
the following in the post-auth debug:
...
> So, for Person-Type, only the one value, employee, is passed to the perl
> module? Shouldn't there be another two lines of this for the other two
> values?
No. The default operator for the LDAP attribute mapping is '='. If
you want
>> In a continuation to my previous issue about how to reference an LDAP
>> attribute in post-auth, I am now wondering how to iterate through a
>> multi-valued attribute in a perl script I call from post-auth. In the
>> debug you can see all three values are returned:
>
Hello,
i want to get different attribute from ldap. Something like "cn".
Is this possible and where must be set it?
Mit freundlichen Grüßen
David Sandmann
***
Fachinformatiker für Systemintegration
Ernst-Moritz-Arndt-Universität
Rechenzentrum
Felix-Hausdorff-
Ah.. thanks! Wouldn't have figured that out on my own...
A.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Track wrote:
> In a continuation to my previous issue about how to reference an LDAP
> attribute in post-auth, I am now wondering how to iterate through a
> multi-valued attribute in a perl script I call from post-auth. In the
> debug you can see all three values are returned:
Hi All,
In a continuation to my previous issue about how to reference an LDAP attribute
in post-auth, I am now wondering how to iterate through a multi-valued
attribute in a perl script I call from post-auth. In the debug you can see all
three values are returned:
...
[ldap] looking for
-reply-attributes-based-on-LDAP-attribute-tp5047676p5054214.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> I am trying to configure freeradius 2.1.12 to set the
> 'Tunnel-Private-Group-Id' attribute based on a value retrieved from LDAP.
use unlang - either completely to do the work...or to populate
the packet so that other modules can use it e.g.
if (Person-OrgUnit) {
update request {
aidanr wrote:
> I am trying to configure freeradius 2.1.12 to set the
> 'Tunnel-Private-Group-Id' attribute based on a value retrieved from LDAP.
That should be easy.
> I have pulled the variable form LDAP and am storing it as a local Radius
> variable called 'Person-OrgUnit'. In the users fil
ant.
--
What is the best way for me to check this radius CheckItem variable and
based on its value, set additional attributes?
Thank you,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Set-reply-attributes-based-on-LDAP-attribute-tp5047676p5047676.html
Sent from the FreeRad
On Jun 7, 2011, at 1:07 PM, John Center wrote:
> On 06/07/2011 02:22 PM, Alan DeKok wrote:
>> John Center wrote:
>>> We talked about this, there isn't any more content there. Someone needs
>>> to rewrite this page.
>>
>> mediawiki.freeradius.org should now work. The contents can be copied
>>
Renan wrote:
> So all of the attributes are available except the ones that Ldap module
> fetched (for example: NT-Password, Password-With-Header, my custom
> defined: Aa, etc...). As a test, at my exec module I did: "env >>
> /tmp/temp_file.txt" to see wich variables are exported, here is the resul
Em 07-06-2011 14:30, Alan DeKok escreveu:
You can't use RADIUS to query LDAP from an "exec" module.
It's not a query per say, I would be acessing a variable that was
already **set** by the LDAP module (That's why I specified it at
ldap.attrmap).
Each module has access to*all* of the
On 06/07/2011 02:22 PM, Alan DeKok wrote:
John Center wrote:
We talked about this, there isn't any more content there. Someone needs
to rewrite this page.
mediawiki.freeradius.org should now work. The contents can be copied
from there.
Still no more content, see
http://mediawiki.freerad
John Center wrote:
> We talked about this, there isn't any more content there. Someone needs
> to rewrite this page.
mediawiki.freeradius.org should now work. The contents can be copied
from there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan,
On 06/07/2011 01:30 PM, Alan DeKok wrote:
Renan wrote:
So, according to this:
http://wiki.freeradius.org/Attribute%20support%20by%20processing%20list
I can only access the User-Name and Auth-Type at my custom exec module,
and nothing else?
Uh, no. The wiki page needs to be refor
Renan wrote:
> So, according to this:
> http://wiki.freeradius.org/Attribute%20support%20by%20processing%20list
>
> I can only access the User-Name and Auth-Type at my custom exec module,
> and nothing else?
Uh, no. The wiki page needs to be reformatted.
Each module has access to *all* of t
So, according to this:
http://wiki.freeradius.org/Attribute%20support%20by%20processing%20list
I can only access the User-Name and Auth-Type at my custom exec module,
and nothing else?
I just want to access an LDAP value at my exec module without having to
issue an external ldapsearch and avo
Hello there,
I'm trying to evaluate an ldap returned attribute on the post-auth section.
At my dictionary:
ATTRIBUTE Aa 3000string
At my ldap.attrmap:
checkItem AA eduPersonAffiliation
And at my custom module:
exec aloca_vlans {
wait = yes
prog
Thank you very much for your responses.
Conversely, you could comment out/remove the "use Data::Dumper" line
> since you're not using it. It's mainly for debugging and easily
> printing the entire contents of an object/array/hash/etc.
>
>
Ok, Kevin, I don't use Data::Dumper and I can run Freerad
On 10/22/10 6:25 AM, Jonathan Gazeley wrote:
> On 22/10/10 13:16, Ana Gallardo wrote:
>> Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module
>> Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined
>> symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64.
On 22/10/10 13:16, Ana Gallardo wrote:
Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64.
at /usr/lib/perl/5.10/Data/Dumper.pm line 36
You n
Hello Alan, and thank you for your response.
You can't really do that with "unlang". I suggest using the perl module.
>
I flow your suggestion and write this:
# cat /etc/freeradius/perl/checkRelaciones.pm
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
use co
Ana Gallardo wrote:
> I want to authorize the access only if there is one attibute Relaciones
> whith a positive value. So I would like to use unlang in authorize
> module to check all the attributes "Relaciones" whit a regex, but I
> don't know how can I check all the attributes, and how can I sto
Hello again,
I have a string attribute named Relaciones in my ldap.
>
> This attribute can have more than one value. Actually I return those values
> in the reply:
>
> Sending Access-Accept of id 229 to X.X.X.X port 32796
> Relaciones += "-11"
> Relaciones += "03"
> Relaciones += "-01"
Hello,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += "-11"
Relaciones += "03"
Relaciones += "-01"
I want to authoriz
Ivan Kalik wrote:
> reply:Tmp-String-0
Whoops.. that's my typo.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 8/7/09 16:21, Ivan Kalik wrote:
>>> e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
>>>
>>>
>>> if (... i want to send vlan) {
>>> update reply {
>>> Tunnel-Private-Group-Id = "%{Tmp-String-0}"
>
> reply:Tmp-String-0
Pants! I was almost certain I
>>
>> e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
>>
>>
>> if (... i want to send vlan) {
>> update reply {
>> Tunnel-Private-Group-Id = "%{Tmp-String-0}"
reply:Tmp-String-0
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe?
On 8/7/09 15:07, Alan DeKok wrote:
> You can map that VLAN number to a server-side attribute. Then, copy
> it to the correct tunnel attribute when you want.
>
> e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
>
>
> if (... i want to send vlan) {
> update reply
Steven Carr wrote:
> That is the issue, I do not know what attributes we do want, only what
> we don't want.
If you don't want the attributes, it would be simplest to not add them
in the first place.
> We only want to send back the VLAN switching dot1x attributes if the
> request comes from a p
On 8/7/09 14:36, Ivan Kalik wrote:
> Well, reply attributes don't appear from nowhere - *you* configure them!
> List what you want to leave in the packet (lets say Service-Type) - rest
> will be deleted.
That is the issue, I do not know what attributes we do want, only what
we don't want.
We only
> On 8/7/09 14:19, Ivan Kalik wrote:
>> Obviously not. There is no wildcard. If you want wildcard use attribute
>> filter instead of update reply.
>
> Tried that too, but the attribute filter only seems to allow you to
> filter on items that you want to be returned, rather than filter out
> those t
On 8/7/09 14:19, Ivan Kalik wrote:
> Obviously not. There is no wildcard. If you want wildcard use attribute
> filter instead of update reply.
Tried that too, but the attribute filter only seems to allow you to
filter on items that you want to be returned, rather than filter out
those that you don
> Is it not possible to use something like...
>
> if ((!Huntgroup-Name) || (Huntgroup-Name != "ciscoswitches")) {
> update reply {
> Tunnel-Private-Group-ID -=
> Tunnel-Type -=
> Tunnel-Medium-Type -=
>
On 8/7/09 08:18, Steven Carr wrote:
> On 7/7/09 17:01, Ivan Kalik wrote:
>> Yes.
>>
>> if(((!reply:...) || (reply:... = "")) && Huntgroup-Name = "whatever")
>
> This works for those users that have the attribute set as a fallback
> measure but how do I stop it from returning the attribute when it
> On 7/7/09 17:01, Ivan Kalik wrote:
>> Yes.
>>
>> if(((!reply:...) || (reply:... = "")) && Huntgroup-Name = "whatever")
>
> This works for those users that have the attribute set as a fallback
> measure but how do I stop it from returning the attribute when it was
> retrieved from LDAP, again I on
On 7/7/09 17:01, Ivan Kalik wrote:
> Yes.
>
> if(((!reply:...) || (reply:... = "")) && Huntgroup-Name = "whatever")
This works for those users that have the attribute set as a fallback
measure but how do I stop it from returning the attribute when it was
retrieved from LDAP, again I only want thi
>> Thanks Ivan, the following in the post-auth section of the default file
>> works:
>>
>>> if ((!reply:Tunnel-Private-Group-ID) || (reply:Tunnel-Private-Group-ID
>>> == "")) {
>>> update reply {
>>> Tunnel-Private-Group-ID = "666"
>>> }
>>> }
>
>
On 7/7/09 16:16, Steven Carr wrote:
> Thanks Ivan, the following in the post-auth section of the default file
> works:
>
>> if ((!reply:Tunnel-Private-Group-ID) || (reply:Tunnel-Private-Group-ID
>> == "")) {
>> update reply {
>> Tunnel-Private-Group-ID = "66
On 7/7/09 16:04, Ivan Kalik wrote:
> OK, try:
>
> if (!reply:Tunnel-Private-Group-ID)
>
> that should cover the case when there is no ldap attribute in user
> profile. If attribute can be empty or missing you will need to OR those
> two expessions.
Thanks Ivan, the follo
te-Group-ID == "")
>> (Attribute reply:Tunnel-Private-Group-ID was not found)
OK, try:
if (!reply:Tunnel-Private-Group-ID)
that should cover the case when there is no ldap attribute in user
profile. If attribute can be empty or missing you will need to OR those
two expessions.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 7/7/09 15:48, Steven Carr wrote:
> Hi Ivan
>
> On 7/7/09 14:29, Ivan Kalik wrote:
>> Use unlang. Put something like this in post-auth:
>>
>> if(reply:Tunnel-Private-Group-ID == "") {
>> update reply {
>> Tunnel-Private-Group-ID = "666"
>> }
>> }
>
> I've tried this in both
Hi Ivan
On 7/7/09 14:29, Ivan Kalik wrote:
> Use unlang. Put something like this in post-auth:
>
> if(reply:Tunnel-Private-Group-ID == "") {
> update reply {
> Tunnel-Private-Group-ID = "666"
> }
> }
I've tried this in both the default and inner-tunnel post-auth sections
and
> I have the following line in my ldap.attrmap file to pull back a users
> VLAN assignment:
>
>> replyItemTunnel-Private-Group-ID destinationIndicator
>
> The users file contains the following:
>
>> DEFAULT Ldap-Group == "allowed-access"
>> Service-Type = Framed-User,
>> Tunnel-Type =
Hi list,
I have the following line in my ldap.attrmap file to pull back a users
VLAN assignment:
> replyItem Tunnel-Private-Group-ID destinationIndicator
The users file contains the following:
> DEFAULT Ldap-Group == "allowed-access"
> Service-Type = Framed-User,
> Tunnel-Type =
ebug.
>
>Stuck with this version for now.
>
>I have a "catchall" DEFAULT entry with no comparison which set the
>vlan. But it didn't match on the userORGUNIT ldap attribute. value
>
Upgrade. Checking control:My-Attribute with unlang works.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ch in files? Post the debug.
Stuck with this version for now.
I have a "catchall" DEFAULT entry with no comparison which set the
vlan. But it didn't match on the userORGUNIT ldap attribute. value
modcall: entering group authorize for request 2
modcall[authorize]: module "
>I'm using version 1.1.3 so, I moved the "files" entry below the ldap
>entry but my DEFAULT entry in the file: users does not match or return
>any value.
>
You should upgrade. Did something else match in files? Post the debug.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? S
On Tue, Feb 17, 2009 at 11:04 AM, wrote:
>>>>Am I correct in saying that the LDAP-attribute that is mapped to
>>>>Tunnel-Private-Group-ID would need to be set to the value of the the
>>>>VLAN I require? The LDAP-attribute that I wish to use curently
&
>>>Am I correct in saying that the LDAP-attribute that is mapped to
>>>Tunnel-Private-Group-ID would need to be set to the value of the the
>>>VLAN I require? The LDAP-attribute that I wish to use curently
>>>contains values like "ITISCP" and
On Tue, Feb 17, 2009 at 9:50 AM, wrote:
>>Am I correct in saying that the LDAP-attribute that is mapped to
>>Tunnel-Private-Group-ID would need to be set to the value of the the
>>VLAN I require? The LDAP-attribute that I wish to use curently
>>contains values like &
>Am I correct in saying that the LDAP-attribute that is mapped to
>Tunnel-Private-Group-ID would need to be set to the value of the the
>VLAN I require? The LDAP-attribute that I wish to use curently
>contains values like "ITISCP" and "ENISCP". I want to say if
>
>I have a value set for an attribute in LDAP, how do I "extract" the
>value from the attribute and do a comparison on it in the users file
>so I can set the VLAN?
>
ldap.attrmap file in raddb directory.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freerad
gt; >> >> achieved basic vlan allocation by configuring a Default entry in
> >> >> >> the users file. So the vlan allocation part works ok.
> >> >> >>
> >> >> >> What I want to be able to do is allocate the vlan by matchi
gt;> >> I have a working radius server (ver 1.1.3). which I am using
> >> >> >> >> for 802.1x authentication of wired switch ports. I would like
> >> >> >> >> to dynamically assign users vlans. I have cisco gear and have
> >> >> &
orts. I would like to
>> >> >> >> dynamically assign users vlans. I have cisco gear and have
>> >> >> >> achieved basic vlan allocation by configuring a Default entry in
>> >> >> >> the users file. So the vlan allocation
gt; >> >> achieved basic vlan allocation by configuring a Default entry in
> >> >> >> the users file. So the vlan allocation part works ok.
> >> >> >>
> >> >> >> What I want to be able to do is allocate the vlan by matchi
gt; >> >> achieved basic vlan allocation by configuring a Default entry in
> >> >> >> the users file. So the vlan allocation part works ok.
> >> >> >>
> >> >> >> What I want to be able to do is allocate the vlan by matchi
t; >> 802.1x authentication of wired switch ports. I would like to
>> >> >> dynamically assign users vlans. I have cisco gear and have achieved
>> >> >> basic vlan allocation by configuring a Default entry in the users
>> >> >> file. S
gn users vlans. I have cisco gear and have achieved
> >> >> basic vlan allocation by configuring a Default entry in the users
> >> >> file. So the vlan allocation part works ok.
> >> >>
> >> >> What I want to be able to do is alloc
Default entry in the users
>> >> file. So the vlan allocation part works ok.
>> >>
>> >> What I want to be able to do is allocate the vlan by matching the
>> >> value of an LDAP attribute. Not by group membership, but the actual
>> >> val
gt; >> What I want to be able to do is allocate the vlan by matching the
> >> value of an LDAP attribute. Not by group membership, but the actual
> >> value of a users attribute. Is this possible?
> >>
> >> Cheers,
> >> Dealy
> >
> >
users vlans. I have cisco gear and have achieved
>> basic vlan allocation by configuring a Default entry in the users
>> file. So the vlan allocation part works ok.
>>
>> What I want to be able to do is allocate the vlan by matching the
>> value of an LDAP attribute
configuring a Default entry in the users
> file. So the vlan allocation part works ok.
>
> What I want to be able to do is allocate the vlan by matching the
> value of an LDAP attribute. Not by group membership, but the actual
> value of a users attribute. Is this possible?
>
works ok.
What I want to be able to do is allocate the vlan by matching the
value of an LDAP attribute. Not by group membership, but the actual
value of a users attribute. Is this possible?
Cheers,
Dealy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> Did you set "use_tunneled_reply" in eap.conf? This is also in 1.1.x.
> Alan DeKok.
Yeah!, it works if "use_tunneled_reply" is set to "yes" (though tunneled
data is -in my case- the same). Thank you very much!
If this can help: I've run FR1.1 (various versions, last one v1.1.5),
with this a
Roberto S. G. wrote:
> Hi,
> I'm migrating to FR2.0.5. After setting the new conf style, everything
> runs smooth and ok... but now I have a strange behavior: I have an
> attribute mapped in ldap.attrs file (as in FR1.1) but it's returned in
> the Access packet only in "clear" auths; with "EAP" aut
Hi,
I'm migrating to FR2.0.5. After setting the new conf style, everything
runs smooth and ok... but now I have a strange behavior: I have an
attribute mapped in ldap.attrs file (as in FR1.1) but it's returned in
the Access packet only in "clear" auths; with "EAP" auths, it is mapped
(as -X sh
1 - 100 of 154 matches
Mail list logo
