Serge van Namen <svna...@snow.nl> wrote:
>
> I'm working on a proof-of-concept for 802.1x and dynamic vlan's on
> switches.
>
> All this works perfectly with user@realm, but now I want to read the
> vlan ID from a ldap attribute and then send the radius request with
> that value in "Tunnel-Private-Group-ID".
>
Reading an attribute for this is argubly silly in the context of LDAP.
Better to test for a group membership otherwise you might aswell shovel
everything in a relational database like SQL.
For us we create host LDAP objects, and then those objects are members
of a LDAP group which has details regarding the VLAN in it (and
subnetting, etc etc).
I am slowly cobbling bits together on my website[1]. My post-auth looks
like:
----
post-auth {
....
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := "unauthorised"
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if ((EAP-Message) && !(Ldap-UserDn)) {
cache_ldap-userdn
}
lanwarden_vlan
if (!(control:Tunnel-Private-Group-Id) ||
control:Tunnel-Private-Group-Id == "") {
if (Realm == "DEFAULT") {
update reply {
Tunnel-Private-Group-Id := "eduroam"
}
}
# to be removed once we register personal workstations
elsif (Realm == "%{config:local.MY.realm}") {
update reply {
Tunnel-Private-Group-Id :=
"users-unmanaged"
}
}
}
else {
update reply {
Tunnel-Private-Group-Id :=
"%{control:Tunnel-Private-Group-Id}"
}
}
if (reply:Tunnel-Private-Group-Id != "unauthorised") {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
....
}
----
'cache_ldap-userdn' you can find in the archives and the reasoning for
it, meanwhile lanwarden_vlan lurks in policy.conf and looks like:
----
lanwarden_vlan {
if ((control:Ldap-UserDn)) {
if ("%{md5:%{client:secret}%{Calling-Station-Id}%l}" =~
/[0-7]$/) {
update control {
Tunnel-Private-Group-Id :=
"%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}"
}
if (control:Tunnel-Private-Group-Id == "") {
update control {
Tunnel-Private-Group-Id :=
"%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}"
}
}
}
else {
update control {
Tunnel-Private-Group-Id :=
"%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}"
}
if (control:Tunnel-Private-Group-Id == "") {
update control {
Tunnel-Private-Group-Id :=
"%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}"
}
}
}
}
}
----
It looks horrible as xlat does *not* support failover. :(
Cheers
[1] http://www.digriz.org.uk/lanwarden
--
Alexander Clouter
.sigmonster says: You are so boring that when I see you my feet go to sleep.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
