Jacob Jarick wrote: > * school with wireless access > * allready uses radius (soon to be freeradius) > * freeradius auth's via a win2k3 Active Directory Server > * teachers need to be able to log into WAP's a,b,c etc and be > automatically assigned to the teachers vlan > * priv students need to be able to log into WAP's a,b,c and be > assigned to the priv student vlan > * norm students simply need to have network access denied from WAP's a,b,c > > >>From what Ive learnt so far today, I need to configure the radius.conf > to retrieve the users group from the ADS and then return auth and map > group -> vlan / tunnel ID.
Yes. You should be able to do that via the LDAP-Group attribute. In the "users" file, do: DEFAULT LDAP-Group == "norm-students", NAS-IP-Address == a, Auth-Type := Reject DEFAULT LDAP-Group == "norm-students", NAS-IP-Address == b, Auth-Type := Reject DEFAULT LDAP-Group == "norm-students", NAS-IP-Address == c, Auth-Type := Reject DEFAULT LDAP-Group == "priv-students" ... assign VLAN (see NAS documentation for what attributes) DEFAULT LDAP-Group == "teacher" ... assign VLAN (see NAS documentation for what attributes) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html