[RADIATOR] Vlan assigned by ldap group membership on radiator,

Heikki Vatiainen hvn at open.com.au
Thu Feb 6 06:39:55 CST 2014


On 02/05/2014 02:20 PM, Pedro Marques wrote:

> I need to do the following config on radiator server . For each user
> authentication request, i want to verfify ldap user group membership ,
> and according to the ldapgroup i want to change the
> " Tunnel-Private-Group-ID"  in the radiator reply.
> What is the best aproach to do that ?

The simple approach is to have an attribute for each user. The attribute
value is the VLAN id and no group lookup is required.

If you need to do a group lookup, you could utilise PostSearchHook to do
additional queries. Based on the query results, you can push
Tunnel-Private-Group with the VLAN id value in the user's reply
attributes. There was discussion related to this just a few days ago on
this list.

If you can query the groups the user is member of, you could store those
in the reply with AuthAttrDef. A PostAuthHook could then map the group
information to VLAN id. However, this would work the best when the final
Access-Accept is returned right after the LDAP lookup. This is not the
case with for example, PEAP.

The details depend on how the data is presented in your directory. Some
sites map group names to VLAN ids and some sites even have the VLAN id
as a part of group name. The id is then extracted from the group name
directly.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list