Hi All, I get dynamic VLAN assignment working in post-auth section with help/hints from a lot of list members. Now I want to do one more steps. I would like to hash the username or mac-address to distribute users to different VLANs. The idea is to use freeradius to spread the load on different smaller subnets to reduce the broadcast in bigger VLANs.
For example I want to do the following if ( "%{User-Name}" !~ /@/ ) { if ( %{User-Name}%2 == 0 ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff0" } elsif ( %{User-Name}%2 == 1 ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff1" } } } Will I be able to do this in the post-auth with unlang? Thanks, Schilling ---------- Forwarded message ---------- From: schilling <schilling2...@gmail.com> Date: Tue, Jan 25, 2011 at 10:19 AM Subject: Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> I believe I resolved this. I used eapol_test to get all wanted result, and will try on real NAS later on. The following is what I did. Basically I followed Alexander's example, Modified peap section in eap.conf to use another virtual server "auth" instead of inner-tunnel virtual server. I almost blindly copied Alexander's example in auth server except I removed the reject for the realm checks. The ldap cache pm is not needed in my case since I do not query windows AD via LDAP to get their attributes. If I want to do ldap after ntlm against AD, then Alexander's pm might be needed. Then I want to map certain attribute like employeeStatus from our iPlanet ldap server to some radius attribute, so I can manipulate it in the post-auth section. I put the following line in etc/raddb/dictionary ATTRIBUTE My-Local-employeeStatus 3000 string and the following line in etc/raddb/ldap.attrmap #FOO specific attributes replyItem My-Local-employeeStatus employeeStatus Without these two line addition, radius will complain unknown attribute. Then in the post-auth section #default will have no Tunnel attribute/value, instead, they will be configured on #the NAS to go to student VLANs. # this will cover my ldap ntPassword authentication/authorization #facstaff have employeeStatus set while student does not if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } #this will cover my AD ntlm auth, People in AD are all facstaff if ( "%{User-Name}" !~ /@/ ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } In this way, people can map arbitrary attribute from ldap to radius, if not in dictionary/ldap.attrmap, then just defined your own. Then you have flexibility of using these attribute/value in your logic at post-auth section. Thanks all for the hints and help! Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html