I want to implement 802.1x. The computers belonging to Microsoft domey will be authenticated. The switch port will be configured in VLAN according to the computer's group membership. Simple configuration. Works well ;) FreeRadius 3.0.19
Question: due to AD complexity, is it possible to assign the same VLAN to computers from different groups?
Currently I'm doing it as follows: in post-auth
if (Ldap-Group == VLAN16_SIEO1) {
update reply {
...
}
}
I want to allocate the same VLAN to groups such as VLAN16_BSTO1 and VLAN16_ADMCE1 and others starting with VLAN16_
I cannot use the operator in the condition "if" =~ . FreeRadius does not start! Is it possible to check the group name so as not to create many "if" conditions? In my case these conditions will be about 800 :)
anyone can help me, tell me how to config can solve this problem, thanks.
Enable cacheable_name in the LDAP module configuration - https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap#L326
And uncomment the line setting the cache attribute: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap#L333
Then you can alter the condition to pattern match on group memberships LDAP-Cached-Membership[*] =~ /.*foo.*/.
What cacheable_name and cacheable_dn do, is create a list of all group memberships stored in the LDAP directory for that particular user, and write those values out to local attributes. You can use the wildcard selector [*] to apply a pattern match to all the values of LDAP-Cached-Membership.
One caveat is that the LDAP module must have been called at least once before you use the condition, as it needs to create the list of groups.
Edited to specify use of LDAP-Cached-Membership.