Matthieu Lazaro wrote: > 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis > configuration on the switch)
The client connects via 802.1X. It doesn't connect on a VLAN. VLAN assignment comes *after* the client has been authenticated. > --> this client has some of the following LDAP attributes: > uid = bobalice > radiusTunnelPrivateGroupID = 20 > radiusTunnelType = VLAN > radiusMediumType = IEEE-802 If you list those in raddb/ldap.attrmap, they should automatically be returned. But they're not in the default ldap.attrmap. > radiusCallingStationId = 00-21-42-42-87-b1 > radiusUserCategory = ADMIN There is no such thing as "radiusUserCategory" in the default configuration. Part of the issue is that you're confusing *reply* attributes with *check* attributes. See ldap.attrmap for more information on how LDAP attributes are used. > 2- Fisrt I want to checkthe following attributes, and if not correct, > reject the user: > radiusTunnelType = VLAN > radiusMediumType = IEEE-802 > radiusCallingStationId = 00-21-42-42-87-b1 > radiusUserCategory = ADMIN What do you mean "Not correct"? Those are *LDAP* attributes. The RADIUS server receives *RADIUS* attributes. *PLEASE* ensure that you use the correct terminology. Using the wrong terminology is bad. i.e. referring to RADIUS concepts by LDAP names. And the RADIUS request will *not* contain Tunnel-Type, Tunnel-Medium-Type, or "user category". It *will* contain the Calling-Station-Id. Maybe you missed the part of my email where I said look at the contents of the *RADIUS* packet. You don't seem to have done that. I don't give suggestions at random. They're here for a *reason*. > 3- Then I want to authenticate and authorise the user if login/password > are correct OK. > 4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based > on this attribute: > radiusTunnelPrivateGroupID = 20 If you add that as a replyItem to ldap.attrmap, it should work. > For now, I only have been able to make work the RadiusCallingStationId > using checkval. That shouldn't be necessary. The LDAP module will treat it as a checkItem all by itself. See ldap.attrmap. > Hoping this is much much more precise and clearer, I really wish to > discover what am I missing. You're using the wrong terminology. You're not following instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
