Thanks for the reply Dustin!
I believe what you describe will work just fine. Not sure how to ask my next question
so I will try my best. We have some users who receive static IP addresses
and other special attributes that are unique to only that user. Then we
have some who receive the same attributes and attribute values as the next
person. The big difference is those users who receive a static IP verses
a dynamic IP out of the DHCP pool. It is my understanding that after LDAP
has verified the user it tells RADIUS all the group info. RADIUS then
goes through the RADIUS Groups info and tries to find the first match.
Once the match is found RADIUS then returns to the NAS the attributes for the
profile not the actual user attributes. How do I setup the servers so
that sometimes it returns the profile info (in the case of DHCP type customers)
and sometimes returns specific attributes (in the case of static IP customers)?
Thanks for your help in
advance. -- Jarred F. Cleem IS Manager Multiband (W) 701-281-5376 (F)701-492-5376 >>>Message: 6 >>>Date: Mon, 7 Mar
2005 09:20:43 -0500 (EST) >>>From: Dustin
Doris <[EMAIL PROTECTED]> >>>To: >>>Subject: Re:
LDAP Profiles >>>Reply-To: >> On Sun, 6 Mar 2005,
Jarred Cleem wrote: >> >> > Hello all; > > > > I am tying to put
together an openLDAP/FreeRadius implementation for a > > multitude of
services we provide. We are currently providing high speed > > cable modem
services, local dial-up, national dial-up, Motorola Canopy > > Wireless, DSL,
ISDN, extended Ethernet, Ethernet over power and a few > > other ISP type
services. Currently we have a different AAA platform for > > all of the different
services we provide. I am doing some research and > > setting up a test
lab to see if I can get everything to one AAA > > platform. I
think I am close but am looking for some additional help > > with the
connectivity between FreeRadius and openLDAP. > > > > I currently have
FreeRadius communicating with openLDAP and > > authenticating the
user. However, the LDAP server is giving the RADIUS > > server the wrong
profile after authentication. I am not sure if I > > completely and
correctly understand how this works. It looks as thought > > it is finds the
first ldap-group in my "users" file and returns the ldap > > path to the
profile. My problem is that if a user has more then one > > service, say
dial-up and DSL, it does not return the right profile. It > > returns the first
match in the "users" file. > > > > How do I get LDAP
and FreeRadius to return to the NAS the correct > > profile for the
type of service the user is trying to authenticate to? > > > > Below is my
configuration information. > > > > openLDAP 2.2.23 > > freeRadius 1.0.2 > > Fedora Core 3 > > > > Current users file > > -------begin
users-------------------- > > DEFAULT Ldap-Group
== disabled, Auth-Type := Reject >
> Reply-Message = "Account
disabled. Please call the helpdesk." > > > > DEFAULT Ldap-Group
== dial, User-Profile := > >
"uid=dial,ou=profiles,dc=multiband,dc=us" >
> Fall-Through = no > > > > DEFAULT Ldap-Group
== isdn, User-Profile := > >
"uid=isdn,ou=profiles,dc=multiband,dc=us" >
> Fall-Through = no > > > > DEFAULT Ldap-Group
== dsl-ip, User-Profile := > >
"uid=dsl-ip,ou=profiles,dc=multiband,dc=us" >
> Fall-Through = no > > > > DEFAULT Auth-Type
:= Reject >
> Reply-Message = "Please
call the helpdesk." > > ---------------end
users------------------------------ > > With the above
configuration if a user is a member on more than one groups then > the first one matched
will be the *only* one that will be used. And that *is* > correct behaviour. What
i think you need is to also use incoming request > attributes to
differentiate services (which you aren't right now). Something > like: > > DEFAULT NAS-Port-Type
== ISDN, Ldap-Group == isdn, User-Profile := >
"uid=isdn,ou=profiles,dc=multiband,dc=us" > Fall-Through
= no > > DEFAULT NAS-Port-Type
== Virtual, Ldap-Group == dsp-ip, User-Profile := >
"uid=dsl-ip,ou=profiles,dc=multiband,dc=us" > Sometimes you can also know
the service based on the nas-ip-address, so its easy to use with
huntgroups. eg: huntgroups file dial nas-ip-address ==
1.1.1.1 dial nas-ip-address ==
1.1.1.2 dial nas-ip-address ==
1.1.1.3, nas-port-type == async isdn nas-ip-address ==
1.1.1.3, nas-port-type == isdn adsl nas-ip-address ==
1.1.1.4 What I did there was make 3
nas-ip-addresses in the dial huntgroup. One of them does both dial and
isdn, so I added the additional check-item to it. One nas-ip is
adsl. Then in the users file. DEAULT Huntgroup-Name ==
dial, Ldap-Group == dial, User-Profile := uid=dial... DEFAULT Huntgroup-Name ==
isdn, Ldap-Group == isdn, User-Profile := uid=isdn... etc... DEFAULT Auth-Type := Reject What you are doing there is
first checking the huntgroup. If you come from a dial huntgroup, then
we will look to see if you have the ldap-group dial which would signal that
you get access to dial. If not, we move on and will eventually hit the
reject line. If you do have dial, we authenticate you and return
the dial profile. Same thing for isdn.
If you are coming from an isdn huntgroup, then we check to see if you have the
isdn group, if so we authenticate you, otherwise we move on. The documentation is getting
old, but there is an explanation of that in doc/ldap_howto.txt or at http://doris.cc/radius. I will be rewriting that in
the next few months with more specific radius/ldap stuff, I'll get
rid of the OS specific stuff, and add some new things like
configurable_failover. I was hoping to have it done now, but my radius rebuild project
got demoted due to marketing trying to push out new products
"yesterday". Hope that helps. -Dusty |
- LDAP Profiles Jarred Cleem
- Re: LDAP Profiles Dustin Doris
- LDAP Profiles Jarred Cleem
- Re: LDAP Profiles Jarred Cleem
- Re: LDAP Profiles Kostas Kalevras
- Re: LDAP Profiles Dustin Doris
- Re: LDAP Profiles Alan DeKok
- Re: LDAP Profiles Dustin Doris