OpenDirectory VLAN Assignment by Group

Mon, 20 Aug 2012 10:59:07 -0700 

Greetings~

Previously using radius, we were able to assign VLAN based upon group 
membership using the following syntax in   /etc/raddb/users   :


DEFAULT Group-Name == "testgroup"
       Tunnel-Type = 13,
       Tunnel-Medium-Type = 6,
       Tunnel-Private-Group-Id = "100",
       Fall-Through = no

Now with FreeRADIUS Version 2.1.12, we are unable to make the above syntax work 
anymore.

After some reading, we stumbled upon a someone with a similar issue who claimed 
that you now have to place the post-auth section of   
/etc/raddb/sites-enabled/default  ... we had to make some modifications to the 
syntax as well:

update reply {

                Tunnel-Private-Group-Id = 100
                Tunnel-Type = VLAN
                Tunnel-Medium-Type = IEEE-802
                Tunnel-Preference = 0x000000
}

While the above syntax does appear to properly assign the VLAN ... we are 
unable to match this against the Group-Name field  (so the following does not 
work): 

if(Group-Name == "testgroup") {
        update reply {
                Tunnel-Private-Group-Id = 100
                Tunnel-Type = VLAN
                Tunnel-Medium-Type = IEEE-802
                Tunnel-Preference = 0x000000
        }
}

We are able to get the if syntax to expand upon User-Name like the following  
(just Group-Name doesn't work):

if(User-Name == "testuser") {
        update reply {
                Tunnel-Private-Group-Id = 100
                Tunnel-Type = VLAN
                Tunnel-Medium-Type = IEEE-802
                Tunnel-Preference = 0x000000
        }
}

However ... we appear unable to get any variable to expand that relates to 
group.   (we have tried Group Group-Name Ldap-Group LDAP-Group gid group all 
without success).   It would be ideal to base VLAN membership off of group as 
opposed to individual user.


Questions:

1)  Is there a way to echo out *all* variables that radiusd -X has access to at 
the time of testing so we can perhaps see what field contains the valid group 
on?

2)  Does anyone know what the variable for groups we should be using is?

3)  Is there documentation that covers the change in syntax as I described 
above?  (... I'm sure just not finding it but I have been looking)

(This is on the latest version of Apple's deployment of freeradius that relies 
on OpenDirectory)

(We will try and contact Apple as well... but I'm imaging this request will be 
beyond their capabilities... echoing out all variables may get us a solution 
faster???)

Thank you in advance for any advice or pointers to relevant documentation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to