802.1X - RADIUS - LDAP and VSA for VLAN derivation

[nidez]

Hi
i'm new to the product and have played with it all day, today, for the first time.
I'm looking for a easy and quick WPA ENTERPRISE Backend, i need it in order to publish 1 WiFi SSID behind 802.1X, use LDAP as User/Pass backend.

Zentyal seems to have everything i need but i really can't find the molst simple (and useful) setting: VSA Attribute based on User Group.

In a standard scenario Radius asks LDAP to validate the User/Pass combination, it retrieve from LDAP an "access-granted" or "denied" and some others datas like user group. at this point it compares the user group with a matching table where you binded some extra datas called VSA (vendor specific attribute) like the L2 VLAN needed by the Access Point to terminate the user on the wired network.

well i really can't find where to associate the VSA to the group or to the user.
do i need to go into freeradius config files ?
i gave a look at /etc/freeradius/huntgroup and ./users files expecting to find something related to LDAP backend but they were empty.

any suggestions ?
thanks.

[half_life]

It is in the Zentyal web interface under the Gateway Group ---Radius.  At the top of the screen under Radius there is a "General configuration"  under that is a pull down menu "Group allowed to authenticate".  Users and group module must be installed and configured.  The Radius module must be turned on as well.

[nidez]

thank you for your reply,
i've found that config, but the part i'm missing is where to set the VSA for a specific group.

i try to explain it better (my english is very basic as you can see):
- under the Radius config page i can configure ONE (and ONE only) group allowed to authenticate via Radius.
- I need to set up more than one group specifically (i'm going to explain the reason on next point), i cannot use just one group even if this contains others groups (nested groups)
- for each group i authorize i need to specify a different VSA (vendor specific attribute, or general Radius Attribute) containing the VLAN tag.

example:
- the user "user1" tries to connect to the WiFi and the Access Point asks for user/pass (802.1X auth)
- the user gives "user1" / "pass"
- the authentication credentials goes through the RADIUS server to the LDAP
- LDAP says "OK" i know him, he is in the LDAP group "company1"
- RADIUS matches the LDAP group "company1" and attach to the authentication response the binded VSA (or general) which says "VLAN 100"
- the Access Point retrieve the Radius packet, and bridges the user WiFi connection to the ethernet cable on VLAN 100.


of course i need to set up more than one group, each one with his specific VSA attribute containing the VLAN value associated to that group.

Can this config be done in some way ?
This is a standard behaviour for a Radius Server used for 802.1X Auth in WiFi deployment.

-----------------
edited: spelling errors, i need some english class