Hi all i'm working on basically a radius to ldap proxy. I have a list of radius classes that link to ldap groups. For example.
classs rad_WestSide -> ldap memberOf contains WestSide
classs rad_EastSide -> ldap memberOf contains EastSide
This way if a user is in ldap group WestSide then radius class rad_WestSide is sent.
If user is in ldap EastSide rad_WestSide is sent.
The tricky part is if the user is in Weside AND EastSide.
I can see i'm matching EP_RAD_WestCoast, EP_RAD_EastCoast in the logs (enforcement policies out looks correct), but the radius accept message only contains rad_WestSide. I have verified with packet capture. If i move my rad_EastCoast enforcement policy to the top it will send instead of WestCoast. I'm thinking only a single enforcement policy can be used but i'm not wrapping my head around how to do this correctly.
BTW i'm also set to evaluate all.
Its late hopefully that made sense. :D