On 05/03/12 09:38, Stefano Zanmarchi wrote:
Hi,
my first post here, a newbie question, thanks for your help.
I'm going to set up two freeradius servers (2.1.7 on RHEL 5.5).
ServerB will be connected to an AP and I want it to proxy all EAP
requests to serverA (TTLS-PAP
will be the only method accepted) which will do authentication using
an OpenLDAP backend.
Ok. That's a weird config, but ok.
My question:
I'd like to configure serverA to include in the Access-Accept packet
some AVPs which are specific
to my Organization, like department_name, employee_role (I believe
these are the so called VSAs),
and I'd like serverB to perform some if-then-else logic on these VSAs
to dinamically calculate the
VLAN-ID to return to the AP.
Is this possible (in a simple way)? Is it a common set up?
It's not common.
It is pretty easy though; on serverB do something like this:
post-proxy {
...
# Ensure this filter permits "Some-Attr"
attr_filter.name
}
post-auth {
if (reply:Some-Attr == ...) {
update reply {
My-Vlan := 123
}
}
}
See the sample config for more details on the attr_filter module, and
"man unlang" for more info on processing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
