I believe I resolved this. I used eapol_test to get all wanted result, and will try on real NAS later on.
The following is what I did. Basically I followed Alexander's example, Modified peap section in eap.conf to use another virtual server "auth" instead of inner-tunnel virtual server. I almost blindly copied Alexander's example in auth server except I removed the reject for the realm checks. The ldap cache pm is not needed in my case since I do not query windows AD via LDAP to get their attributes. If I want to do ldap after ntlm against AD, then Alexander's pm might be needed. Then I want to map certain attribute like employeeStatus from our iPlanet ldap server to some radius attribute, so I can manipulate it in the post-auth section. I put the following line in etc/raddb/dictionary ATTRIBUTE My-Local-employeeStatus 3000 string and the following line in etc/raddb/ldap.attrmap #FOO specific attributes replyItem My-Local-employeeStatus employeeStatus Without these two line addition, radius will complain unknown attribute. Then in the post-auth section #default will have no Tunnel attribute/value, instead, they will be configured on #the NAS to go to student VLANs. # this will cover my ldap ntPassword authentication/authorization #facstaff have employeeStatus set while student does not if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } #this will cover my AD ntlm auth, People in AD are all facstaff if ( "%{User-Name}" !~ /@/ ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } In this way, people can map arbitrary attribute from ldap to radius, if not in dictionary/ldap.attrmap, then just defined your own. Then you have flexibility of using these attribute/value in your logic at post-auth section. Thanks all for the hints and help! Schilling On Tue, Jan 25, 2011 at 4:23 AM, Alexander Clouter <a...@digriz.org.uk> wrote: > schilling <schilling2...@gmail.com> wrote: >> >> Thanks a lot. >> >> More questions. >> >> If you want to lower the load (and authentication latency) on your AD >> servers then you might want to look at the following too: >> >> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html >> > First things first, did you get it all working? If not, start there. > When I say 'lower the load', all it does is reduce the number of EAP > packets from about 12 to 4 that are needed for a session resumption; but > also means you only need two LDAP lookups rather that 12. So your AD > load will go from 0.000001 to 0.0000000001 or something. I am bigging > up the numbers more than it is worth (although the latency bit is > possibly handy for roaming devices). > >> I am trying to follow your comment on this. I now realized we used to >> run eDir and now converted to iplanet directory. Anyway, do I still >> need to enable the compilation --with-edir option as stated below? My >> guess is yes since otherwise, I could not call ldap in the post-auth >> section in "auth" virtual server for eap. >> ##etc/raddb/modules/ldap >> # Un-comment the following to disable Novell >> # eDirectory account policy check and intruder >> # detection. This will work *only if* FreeRADIUS is >> # configured to build with --with-edir option. >> # >> #edir_account_policy_check = no >> >> What I want to do is just to check some attribute in our ldap server, >> our structure is like the following: >> # extended LDIF >> # >> # LDAPv3 >> # base <ou=people,dc=foo,dc=edu> with scope subtree >> # filter: uid=sding >> # requesting: ALL >> # >> >> # sding, People, foo.edu >> dn: uid=sding,ou=People,dc=foo,dc=edu >> ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE >> fooEduPSHRdeptName: Information Technology Service (ITS) >> fooEduPSHRDepartmentNumber: 123456 >> fooEduEmployeeStatus: Active >> employeeStatus: Active >> uid: sding >> > The eDir bit's are probably not needed as you are using mschap with > those 'ntPassword' attributes. eDir has 'universal password' which is a > sales monkey's way of saying "the password is available in plaintext if > required". Sounds like to me you do not currently have FreeRADIUS setup > working the way you want it to? > >> I would like to cache the following attribut/value in your example >> cache_ldap-userdn.pm, so I can use these values as logic to assign >> user to different VLANs. Can I do that in your pm? >> fooEduPSHRdeptName: Information Technology Service (ITS) >> fooEduPSHRDepartmentNumber: 123456 >> fooEduEmployeeStatus: Active >> employeeStatus: Active >> > Looks like 'employeeStatus' should go in as part of your user filter, > but to do the others I would need to generalise my Perl module. Easily > done, but I'm not going to do it before I know actually have it already > working. :) > > /me pats sigmonster and gives it a cookie > > Cheers > > -- > Alexander Clouter > .sigmonster says: Success is a journey, not a destination. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html