--- default     2023-05-12 16:17:27.040000000 +0200
+++ ../server-available_default 2023-05-12 16:15:54.616000000 +0200
@@ -761,18 +761,45 @@
			 User-Name := "%{1}$"    # The uid attribute in the ldap object is filled with the host name and a trailing dollar sign.
		 }
	 }
+
+    if ("%{ldap:ldap:///dc=domain,dc=net?uid?sub?(macAddress=%{User-Name})}") {
+        # For known users as well for known machines we take the vlan-id from the group the user/machine is member of.
+        # In case there are assignments for several groups the first vlan-id is automatically taken.
+        update request {
+            User-Name := "%{ldap:ldap:///dc=domain,dc=net?uid?sub?(macAddress=%{User-Name})}"    # The uid attribute in the ldap object is filled with the host name and a trailing dollar sign.
+        }
+        if ("%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(macAddress=%{User-Name})(univentionObjectType=groups/group)(univentionVlanId=*))}") {
+            update reply {
+                Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object"
+                Tunnel-Type := VLAN
+                Tunnel-Medium-Type := IEEE-802
+                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(macAddress=%{User-Name}))(univentionObjectType=groups/group)(univentionVlanId=*))}"
+            }
+        }
+        # If we can't find a matching VLAN ID for the user or machine client in LDAP, we return the default VLAN ID, if configured.
+        # If no default vlan-id is configured in ucr we do not return any vlan information
+        elsif ("1") {
+            update reply {
+                Reply-Message := "DEBUG: Not found, assigning default VLAN-ID"
+                Tunnel-Type := VLAN
+                Tunnel-Medium-Type := IEEE-802
+                Tunnel-Private-Group-Id := "1"
+            }
+        }
+    }
+
	 # Check if the user or machine exists and do post-auth actions
	 # else do nothing in post-auth
	 # This way we also make sure that we do not change the VLAN ID again if the non-EAP-auth (MAC address auth) succeeded before (see above)
-    if ("%{ldap:ldap:///dc=domain,dc=net?uid?sub?(uid=%{User-Name})}") {
+    if ("%{ldap:ldap:///dc=domain,dc=net?uid?sub?(|(uid=%{User-Name})(macAddress=%{User-Name}))}") {
		 # For known users as well for known machines we take the vlan-id from the group the user/machine is member of.
		 # In case there are assignments for several groups the first vlan-id is automatically taken.
-        if ("%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(memberUid=%{User-Name})(univentionObjectType=groups/group)(univentionVlanId=*))}") {
+        if ("%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(macAddress=%{User-Name}))(univentionObjectType=groups/group)(univentionVlanId=*))}") {
			 update reply {
				 Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object"
				 Tunnel-Type := VLAN
				 Tunnel-Medium-Type := IEEE-802
-                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(memberUid=%{User-Name})(univentionObjectType=groups/group)(univentionVlanId=*))}"
+                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(memberUid=%{1}))(univentionObjectType=groups/group)(univentionVlanId=*))}"
			 }
		 }
		 # If we can't find a matching VLAN ID for the user or machine client in LDAP, we return the default VLAN ID, if configured.