(RADIATOR) (re)set of Vendor specific attributes
DELORT Stephane
Stephane.DELORT at murex.com
Tue Aug 2 08:06:50 CDT 2005
Hello everyone,
I would like to have my Active Directory users authenticated and then moved to their appropriate VLAN (with trapeze vlan vendor specific attributes).
I tried to have separate handler like this :
<Handler TunnelledByPEAP=1>
AuthByPolicy ContinueWhileAccept
AuthBy checkMacAddress # check the macaddress in a file
AuthBy checkCorporateUsers
<Handler>
<Handler TunnelledByPEAP=1>
AuthByPolicy ContinueWhileAccept
AuthBy checkMacAddress # check the macaddress in a file
AuthBy checkClientUsers
<Handler>
<AuthBy LSA>
Identifier checkCorporateUsers
...
StripFromReply TRPZ-VLAN-Name
AddToReply TRPZ-VLAN-Name = corpo_vlan
</LSA>
<AuthBy LSA>
Identifier checkClientUsers
...
StripFromReply TRPZ-VLAN-Name
AddToReply TRPZ-VLAN-Name = client_vlan
</LSA>
<Handler>
#PEAP
</Handler>
/!\ This does NOT work because the second handler is never used.
I thought the handler were checked until one matches the criteria but it does not seem to be the case.
So I tried another idear based on the AuthBy GROUP
and I had :
<Handler TunnelledByPeap=1>
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
AuthBy CheckMacAddress
<AuthBy GROUP>
AuthByPolicy ContinueWhileReject
AuthBy CheckCorporateUsers
AuthBy CheckClientUsers
</AuthBy>
</AuthBy>
</Handler>
In this case, the first clause to be looked at (CheckCorporateUsers) sets the TRPZ-VLAN-Name in the Reply message.
Even the StripFromReply in CheckClientUsers is not able to remove this attribute (this is odd).
Is there a way to do what Iwant, or at least flush the AccessAccept reply attributes ?.
Thanks in advance for any help,
Stéphane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050802/4d4626db/attachment.html>
More information about the radiator
mailing list