> Here is one policy that I wish to make work. > > 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis > configuration on the switch) > --> this client has some of the following LDAP attributes: > uid = bobalice > radiusTunnelPrivateGroupID = 20 > radiusTunnelType = VLAN > radiusMediumType = IEEE-802 > radiusCallingStationId = 00-21-42-42-87-b1 > radiusUserCategory = ADMIN > 2- Fisrt I want to checkthe following attributes, and if not correct, > reject the user: > radiusTunnelType = VLAN > radiusMediumType = IEEE-802
Are those two attributes in the access request? If they are, map them as check items in ldap.attrmap. > radiusCallingStationId = 00-21-42-42-87-b1 This is already in ldap.attrmap. > radiusUserCategory = ADMIN Where is that suposed to come from? > 3- Then I want to authenticate and authorise the user if login/password > are correct Fine. Nothing to do. > 4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based > on this attribute: > radiusTunnelPrivateGroupID = 20 Map that as reply item in ldap.attrmap. You will need tunnel and medium type in the reply as well. So add them too. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
