>> Hi, I have (with some help) got the freeradius server to authenticate and >> sending the VLAN name >> to the switch. But what I want to do is to use the freeradius server to >> authenticate and set a VLAN >> based on the certificate without the need of any other external database >> lookup (ldap or sql). >> >> 1. Verify that the certificate is signed by your CA >> 2. Check the CRL >> 3. Check the OU field (or any other) in the certificate and then assign >> VLAN based on that field. >> >> For option 1 & 2 the answer should be yes but for option 3 I have no real >> clue on how to do it. > >Have you try with the same value in FreeRADIUS users file field and in the >certificate field ? Don't exactly follow you but I suspect you mean the CN name of the certificate. Well it would work but it counter what I want to do, namely set the client VLAN based on organization unit (OU) and not the clients name. And I want to have a unique name for each cleint/cerificate. The nice thing with this is that you could have a decentralized solution that's sets the VLAN from the information in the certificate. You would also get a radius server that is more or less static (part from log files and the CRL file). And the CRL file is fetched once per day so you don't have to have a connection with the corporate CA 100% of the time (or AD/ldap server). Regards, Stefan
<<winmail.dat>>
