cancel
Showing results for 
Search instead for 
Did you mean: 

Selecting VLAN by LDAP or Radius entry?

Highlighted
New Contributor

Selecting VLAN by LDAP or Radius entry?

I've been reading through the docs and the forums, but I have yet to see how to do this in a programatic way.

 

What I'd like to do is have a single auth realm configured (so that everyone appears the same on login) but when they login, the SA should match against an ldap group and then select the VLAN based on that info, and subsequently DHCP off that VLAN.

 

I've seen some things relating to assigning IP's on a per user based on Radius, but I'm unclear if it can do vlans as well.

 

If this doesn't work I have to write a parser for logfiles and go down a whole icky road...

4 REPLIES 4
Highlighted
Valued Contributor

Re: Selecting VLAN by LDAP or Radius entry?

It is late and my brain is not working to well - but VLAN assignment is tied to the role level. So you could write a custom expression that used an LDAP value to determine a role assignment. That role would apply the appropriate VLAN to the user. Thoughts?

Highlighted
Regular Contributor

Re: Selecting VLAN by LDAP or Radius entry?

Hi,

For example, it depends on the return attribute of the Radius.
If the Return attribute is "Filter-id = guest", on the SSL VPN, you may 'detect' "Filter-id = guest" and put this into "vlan-id = 101"...

Hope it helps...
Highlighted
New Contributor

Re: Selecting VLAN by LDAP or Radius entry?

Hrm,  so I can only do this with radius? Most of my data is already in LDAP so I'm a bit unexcited about switching...

Highlighted
Super Contributor

Re: Selecting VLAN by LDAP or Radius entry?

You can do this with LDAP, assuming your LDAP server is used for authentication or authorization.  Let's say your LDAP had an attribute called "VLAN" in the directory entry which authenticated or authorized the user.  Then you could have role-mapping rules, like -

 

If userAttr.VLAN = "1" then assign to "Role1"

If userAttr.VLAN = "2" then assign to "Role2"

 

and Role1 and Role2 should specify different VLANs.

 

Remember that, to use any LDAP attribute, you need to add it to the server catalog for the authentication server.

 

Ken