On Fri, Feb 13, 2009 at 11:22 PM, Michael Schwartzkopff <mi...@multinet.de> wrote: > Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: >> On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff >> >> <mi...@multinet.de> wrote: >> > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: >> >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff >> >> >> >> <mi...@multinet.de> wrote: >> >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: >> >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff >> >> >> >> >> >> <mi...@multinet.de> wrote: >> >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: >> >> >> >> I have a working radius server (ver 1.1.3). which I am using for >> >> >> >> 802.1x authentication of wired switch ports. I would like to >> >> >> >> dynamically assign users vlans. I have cisco gear and have >> >> >> >> achieved basic vlan allocation by configuring a Default entry in >> >> >> >> the users file. So the vlan allocation part works ok. >> >> >> >> >> >> >> >> What I want to be able to do is allocate the vlan by matching the >> >> >> >> value of an LDAP attribute. Not by group membership, but the >> >> >> >> actual value of a users attribute. Is this possible? >> >> >> >> >> >> >> >> Cheers, >> >> >> >> Dealy >> >> >> > >> >> >> > Yes. Just assign these attributes to the user object in LDAP. >> >> >> >> >> >> I have a value set for an attribute in LDAP, how do I "extract" the >> >> >> value from the attribute and do a comparison on it in the users file >> >> >> so I can set the VLAN? >> >> > >> >> > Hi, >> >> > >> >> > I don't remember exactly what I did on version 1. Please see: >> >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html >> >> > for some hints. >> >> > >> >> > I had something like >> >> > >> >> > DEFAULT Auth-Type .= LDAP >> >> > Reply-Message = "Auth by LADP" >> >> > >> >> > in my users file. Other attributes stored in an object of objectClass >> >> > radiusprofile should be added automatically to the Reply attributes. >> >> >> >> I don't actually want to add radiusprofile attributes to my LDAP. The >> >> users already have an attribute which identifies their department. I >> >> want to be able to say if "department attribute = X then allocate VLAN >> >> Y". Can this be done without specifically setting the vlan etc as >> >> radiusprofile attributes. Also I am not using ldap for the >> >> authentication, just authorization. The authentication is done using >> >> ntlm_auth. >> > >> > Then you would habe to re-map some LDAP-attribute of your objectClass to >> > Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and >> > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the >> > users file. >> > >> > Please see the ldap.attrmap in your raddb dir for the mapping of >> > attributes. >> >> Am I correct in saying that the LDAP-attribute that is mapped to >> Tunnel-Private-Group-ID would need to be set to the value of the the >> VLAN I require? The LDAP-attribute that I wish to use curently >> contains values like "ITISCP" and "ENISCP". I want to say if >> attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID >> = 226). Using ldap.attrmap mappings I would need to store the >> required vlan in a LDAP attribute. (I can't change the LDAP only read >> it). > > Even more complicated. Sorry., I did not read your previous mail completely. > > Sending the department attribute (i.e. "ITISCP") might work if the switch > understand it and can map it to the correct VLAN numbers. As fas as I know, > this can be done with Cisco. On other switches you have to see in the user > manual if you can attach names to VLANs. > > Otherwise you would have to add a new ou=profiles with severeal cn=<profile> > of > the objectClass radiusprofile. This radiusprofile would indicate the correct > VLAN number. > > Then you could use the profile_attribute of the ldap module to point to the > correct LDAP attribute of the user object that points to the correct > attribute. But you would have to fill that attribute manually with something > like: > cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org > > Perhaps it is better to do that automated by scripting deducted from the > department attribute every hour. But when you start scripting that you also > could deduct the VLAN number fro mthe department and fill this into a > attribute > of the user itself and change ldap.attrmap pointing to that attribute. > > Greetings, > -- > Dr. Michael Schwartzkopff > MultiNET Services GmbH > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany > Tel: +49 - 89 - 45 69 11 0 > Fax: +49 - 89 - 45 69 11 21 > mob: +49 - 174 - 343 28 75 > > mail: mi...@multinet.de > web: www.multinet.de > > Sitz der Gesellschaft: 85630 Grasbrunn > Registergericht: Amtsgericht München HRB 114375 > Geschäftsführer: Günter Jurgeneit, Hubert Martens > > --- > > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B > Skype: misch42 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >
Thanks for your help. Looks like I need to talk to the ldap admins and get them to script populating the radiusprofile attributes. It's a pity, because getting changes made to ldap becomes a big red tape exercise within the department. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html