Owen DeLong wrote: > We have historically used the AuthorizedService attribute in LDAP to > control the level > of access available to the user. We would like to continue to do so. > However, in order > for that to work, I need to map AuthorizedService to different RADIUS > attributes in > the response depending on the authentication client.
Do it in two steps. Map the AuthorisedService LDAP attribute to a RADIUS attribute (invent a local one, see the dictionary docs), and then depending on the NAS, map that to another attribute. The reason for doing it this way is that the LDAP -> RADIUS attribute mapping is simple, and should be kept simple. > Ideally, I'd like to be able to map RADIUS clients into "groups" and > have a mapping > of AuthorizedService values for each group. The client groups would, > ideally, > be defined by matching the client IP address. An example of what I'd > like that > mapping to look like is below: Use rlm_passwd to map clients to groups (see it's documentation), and then the "users" file to map AuthorizedService to another RADIUS attribute, as described above. > Alan, your flames and RTFM comments are welcome, but, please understand, > I've done my best to RTFM before posting this. As I tell my co-workers, "Remember, there are no stupid questions. There are only stupid people.". And they still speak to me after that. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
