On 02/05/2014 02:20 PM, Pedro Marques wrote: > I need to do the following config on radiator server . For each user > authentication request, i want to verfify ldap user group membership , > and according to the ldapgroup i want to change the > " Tunnel-Private-Group-ID" in the radiator reply. > What is the best aproach to do that ?
The simple approach is to have an attribute for each user. The attribute value is the VLAN id and no group lookup is required. If you need to do a group lookup, you could utilise PostSearchHook to do additional queries. Based on the query results, you can push Tunnel-Private-Group with the VLAN id value in the user's reply attributes. There was discussion related to this just a few days ago on this list. If you can query the groups the user is member of, you could store those in the reply with AuthAttrDef. A PostAuthHook could then map the group information to VLAN id. However, this would work the best when the final Access-Accept is returned right after the LDAP lookup. This is not the case with for example, PEAP. The details depend on how the data is presented in your directory. Some sites map group names to VLAN ids and some sites even have the VLAN id as a part of group name. The id is then extracted from the group name directly. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
