Nobody replied to my original post, and I got to thinking, would I be able to use wildcards in my users file to achieve this when looking for which Ldap-Group the user has been placed in?
i.e. DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group =~ ".*staff1", Autz-Type := Ldap1, Auth-Type := Ldap1 Where unbldap-Ldap-Group gets set via groupmembership_attribute = eduPersonPrimaryAffiliation and eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=staff1 in LDAP Thanks Matt Ashfield [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: Wednesday, July 23, 2008 10:29 AM To: 'FreeRadius users mailing list' Subject: groupmembership and vlan assignment Hello We have been using the groupmembership attribute in radius.conf to assign users to the appropriate vlans. Up until now we've done it based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large and we want to take measures to make them smaller. We have looked into using LDAP entitlement fields. There are however a few issues here: - The eduPersonEntitlement attribute is not unique. A user record can have multiple instances of this attribute for each different entitlement they have. - The eduPersonEntitlement attribute has a value that is not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I'd need to parse the value as well to pull out the vlan name, in this case "student1". I'm unsure how to get around these two issues. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
