Currently have a FreeRADIUS 1.1.6 server authenticating users from OpenLDAP which are stored in the posixAccount account schema. We've now installed a Cisco WLC, and want to authenticate those users over 802.1X (which is successfully working), but also dynamically assign their computer onto a VLAN based on the MAC address of that computer (we're also using certificates, so the problems of MAC spoofing should be pretty much mitigated).
I've imported the radius schema into OpenLDAP, and have created a cn called dot1x, and based it on the objectClass radiusprofile - so we have an entry like this:
dn:cn=machine-1146,cn=dot1x,dc=org,dc=com
cn: machine-1146
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusTunnelPrivateGroupId: 600
objectClass: radiusprofile
objectClass: top
The questions are
- Where in cn=dot1x,dc=org,dc=com do we put the MAC address of the machine?
- How do I configure FreeRADIUS to search ou=people for user authentication, and then cn=dot1x for the computer MAC address, and then respond with the radiusTunnelPrivateGroupId?
Thanks for your help!