> I try to ask my questions more precisely: > * what are the radius ldap attributes meant for? Is only for accounting > or can we use them for something else?
They can be used for authorization as well. You put them in your Access-Accept packet (reply) and if your switch supports those attributes it does certain things (assigns VLANs, sets various timeouts, restricts bandwidth etc.). > * I have understood that it is better to put the user directly in the > correct VLAN rather than checking his request and deny him: do I have to > do something special in Radius to forward LDAP attributes info to the > switch? > ( I am reading again the switch's documentation to figure how to parse > the attributes instead of using static vlans) > Ah, you should of done that first. Many vendors advertize "dynamic VLAN assignment" but when you read through the documentation it turns out that the assignment is static and that only thing "dynamic" about them is that you can change them via a console. Make sure first that your switch supports dynamic VLAN assignment via radius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
