06-15-2012 04:17 AM
06-18-2012 04:26 AM
Check the "Advanced Authorization" section of the Amiogopod Exernal Authentication Servers guide. It has an example (below) of assigning roles based on OUs. When Amigopod is merged with ClearPass, there are easier and more defined ways of doing this.
Advanced authorization — Example 1
This example covers the case where a domain contains several organizational units (OUs), and the
users in each OU are to be mapped to a specific RADIUS role ID.
NOTE To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the
ID column for the appropriate role.
For example, to implement the following configuration:
• OU East should be mapped to RADIUS role ID 4
• OU Central should be mapped to RADIUS role ID 5
• OU West should be mapped to RADIUS role ID 6
Make sure the following configuration is set:
1. First, ensure that the Base DN for the authentication server is set to the root of the domain –
for example: DC=amigopod,DC=local – rather than the “users” container. This is necessary as
the organizational units are located below the top level of the directory and cannot be
searched from the CN=Users container.
2. Select the authorization method Use PHP code to assign a user role (Advanced) and use the
if (stripos($user['distinguishedname'],'OU=East')) return 4;
if (stripos($user['distinguishedname'],'OU=Central')) return 5;
if (stripos($user['distinguishedname'],'OU=West')) return 6;
Explanation: During user authorization, the distinguished name of the user (which will contain the
user’s OU) is checked against the defined rules, and an appropriate role ID is returned. If no match
is found, false is returned, which means that authorization fails and the user’s Access-Request will
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX