Re: ldap.attrmap question

Wed, 05 Apr 2006 22:11:44 -0700 

Greetings!
Thanks! ok that explains alot. Here is a more detailed explanation of the problem. We are using an arubawireless AP Management station to connect wireless clients. 

XP-->Peap-->MSCHAPV2--> FreeRadius --> NTLM_AUTH,RLM_LDAP


The authentication works just dandy. The Aruba allows us to do role  
based firewalling. The documentation says you can use "any" radius  
attribute and pass it to the aruba and then use that in the server  
rule to perform actions on ie: assign to a vlan or do privilege  
escalation etc...



Since NTLM_Auth handles the authentication, I was hoping to use LDAP  
to either obtain a list of groups ie: memberOf from the ADS server  
(Which I was able to do but it returns multiples and I wasnt able to  
get it so strip the cn= from the results, also it appears it cant be  
a multiword value :)  or to just use an attribute returned from the  
LDAP server ie: RadiusGroup and have it passed to the NAS so it can  
apply it's rules.


Ldap --> Radius -->Nas


Is it possible to use NTLM_Auth and then use LDAP to search for a  
value returning it to the aruba?



Are the only values available to be used in this way the ones listed  
in the dictionary file for the Aruba?



I have ordered the O'reilly book and hopefully it will give me clue  
+10 :)


I Really appreciate the help!

Thanks!
Liz



On Apr 5, 2006, at 9:16 PM, Alan DeKok wrote:


liz <[EMAIL PROTECTED]> wrote:

I have  a simple question about the ldap.attrmap file.  I have placed
the following two lines into my ldap.attrmap.file.

...

checkItem       Group-Name                      Description
replyItem       Group-Name                      Description


  You are trying to re-define attributes that have existing
definitions in the server.  Don't do that.  Create a new attribute,
instead.


What I am trying
to do is obtain information from an attribute in the LDAP server and
then pass it to the NAS we are using.


  In which case you have to pick an attribute the NAS understands.
Group-Name is not an attribute any NAS understands.


a) Is this approriate use of the ldap.attrmap file


  No.


b) Is there any easier way to do this.


  It depends on what you want to do.


c) What should I see when it  succefsully sends an attribute to  
the NAS.


  You should see the attribute in the reply, in debugging mode.

  Alan DeKok.
-

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html













    











					Reply via email to