I've been reading through the docs and the forums, but I have yet to see how to do this in a programatic way.
What I'd like to do is have a single auth realm configured (so that everyone appears the same on login) but when they login, the SA should match against an ldap group and then select the VLAN based on that info, and subsequently DHCP off that VLAN.
I've seen some things relating to assigning IP's on a per user based on Radius, but I'm unclear if it can do vlans as well.
If this doesn't work I have to write a parser for logfiles and go down a whole icky road...
It is late and my brain is not working to well - but VLAN assignment is tied to the role level. So you could write a custom expression that used an LDAP value to determine a role assignment. That role would apply the appropriate VLAN to the user. Thoughts?
Hrm, so I can only do this with radius? Most of my data is already in LDAP so I'm a bit unexcited about switching...
You can do this with LDAP, assuming your LDAP server is used for authentication or authorization. Let's say your LDAP had an attribute called "VLAN" in the directory entry which authenticated or authorized the user. Then you could have role-mapping rules, like -
If userAttr.VLAN = "1" then assign to "Role1"
If userAttr.VLAN = "2" then assign to "Role2"
and Role1 and Role2 should specify different VLANs.
Remember that, to use any LDAP attribute, you need to add it to the server catalog for the authentication server.