-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thibault,
Thank you for reviewing my post.
Here is a little more information:
The RADIUS client is actually an Aruba wireless controller. It had
an attribute already defined called "User-Category". I also checked
the dictionary file for "User-Category" and this is what I found:
# grep User-Category *
dictionary.freeradius.internal:ATTRIBUTE User-
Category 1029 string
I am happy to change my attribute to something more standard or
different if this seems to be the problem
Thank You!
Paul
On Jul 19, 2006, at 10:34 AM, Thibault Le Meur wrote:
I am running FreeRADIUS version 1.1.2 on Debian Linux (Stable x86).
I am trying to map an LDAP attribute to a RADIUS attribute.
A little
background, we have a RADIUS client that needs to make decisions
based on an LDAP attribute (we'll call it User-Category). Based on
the value of this attribute the end user will be given rights on the
network. So, I setup my ldap.attrmap with *only* the following line:
replyItem User-Category orgPrimaryAffiliation
rlm_ldap: Adding orgPrimaryAffiliation as User-Category, value
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 4
rlm_ldap: - authenticate
rlm_ldap: login attempt by "mytestuser" with password "12345"
rlm_ldap: user DN: orgUUID=53d66879-e0a0-
da8f-4c49-514b567713ad,ou=People,dc=org,dc=com
rlm_ldap: (re)connect to ldapserver.org.com:389, authentication 1
rlm_ldap: bind as orgUUID=53d66879-e0a0-
da8f-4c49-514b567713ad,ou=People,dc=org,dc=com/12345 to
ldapserver.org.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user mytestuser authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 4
modcall: leaving group LDAP (returns ok) for request 4
Sending Access-Accept of id 192 to 127.0.0.1 port 32904
Finished request 4
Ok everything seems ok untill now...
The problem is that I never see the RADIUS server return the "User-
Category" attribute back to the RADIUS client. It seems to
only want
to send the "Access-Accept" or "Access-Reject" message with no User-
Category value. I tried including the "User-Category" in the
request
with no luck. I also modified the "attrs" file to include this
attribute:
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
User-Category =* ANY,
Proxy-State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Port-Limit <= 2
But no luck there either. Any help is greatly appreciated.
Yes, but I don't think you can create a new Radius attribute like
this. You
should at least declare it in a dictionnary (wince a Radius attribute
corresponds to a number in fact).
See /etc/raddb/dictionnary and any Included files.
Can anyone confirm my analysis and propose a procedure to create new
attributes ?
Isn't i necessary to register new attributes/number somewhere ? Is it
possible to define "private attributes" ?
Regards,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
- --
Paul Asadoorian
Email: [EMAIL PROTECTED]
Web: http://pauldotcom.com
IRC: #pauldotcom | irc.freenode.net
Fingerprint: 2693 0204 8497 2E5F 4853 11D5 1153 6151 487F E094
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFEvkpOEVNhUUh/4JQRAkLYAJ9A9E//OYrXhxqDL1c3R9Pug6DrdQCfcuol
nHLn4xrMTZwDskv6eLGrG40=
=lqlM
-----END PGP SIGNATURE-----
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
