Jacob Jarick wrote:
* school with wireless access
* allready uses radius (soon to be freeradius)
* freeradius auth's via a win2k3 Active Directory Server
* teachers need to be able to log into WAP's a,b,c etc and be
automatically assigned to the teachers vlan
* priv students need to be able to log into WAP's a,b,c and be
assigned to the priv student vlan
* norm students simply need to have network access denied from WAP's a,b,c
From what Ive learnt so far today, I need to configure the radius.conf
to retrieve the users group from the ADS and then return auth and map
group - vlan / tunnel ID.
Yes. You should be able to do that via the LDAP-Group attribute. In
the users file, do:
DEFAULT LDAP-Group == norm-students, NAS-IP-Address == a, Auth-Type :=
Reject
DEFAULT LDAP-Group == norm-students, NAS-IP-Address == b, Auth-Type :=
Reject
DEFAULT LDAP-Group == norm-students, NAS-IP-Address == c, Auth-Type :=
Reject
DEFAULT LDAP-Group == priv-students
... assign VLAN (see NAS documentation for what attributes)
DEFAULT LDAP-Group == teacher
... assign VLAN (see NAS documentation for what attributes)
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html