Op 14 jul 2011, om 21:30 heeft Alexander Clouter het volgende geschreven: > Serge van Namen <svna...@snow.nl> wrote: >> >> I'm working on a proof-of-concept for 802.1x and dynamic vlan's on >> switches. >> >> All this works perfectly with user@realm, but now I want to read the >> vlan ID from a ldap attribute and then send the radius request with >> that value in "Tunnel-Private-Group-ID". >> > Reading an attribute for this is argubly silly in the context of LDAP. > Better to test for a group membership otherwise you might aswell shovel > everything in a relational database like SQL.
In our situation the user is bound to a VLAN, so on every workstation in the building the user authenticates and the switchport becomes a member of the correct VLAN. Correct me if I'm wrong but then we have to administer a separate database for hosts ( and in our case users ) Now we have 2 auth-types en autz-type's. 1 connects with cn=x,dc=example,dc=com (VLANid x) 1 connects with cn=y,dc=example,dc=com (VLANid y) Depending on the realm the user indicates when logging in (user@realm), autheticates and puts the "Tunnel-Private-Group-Id" in the reply with the correct VLAN id. The problem: When using 'Login Window' based 802.1x. So when user puts in it's user/pass at the login window, it does it's 802.1x magic. But with user@realm, LDAP doesnt understands this ofcourse, so the @realm needs to be stripped when authenicating to LDAP. So: user@realm ---> radius reads the realm, strips the @realm so LDAP understands, makes it's auth/autz-type. I hope you catch my drift. :) > > For us we create host LDAP objects, and then those objects are members > of a LDAP group which has details regarding the VLAN in it (and > subnetting, etc etc). > > I am slowly cobbling bits together on my website[1]. My post-auth looks > like: > ---- > post-auth { > .... > > # defaults > update reply { > Tunnel-Type := VLAN > Tunnel-Medium-Type := IEEE-802 > Tunnel-Private-Group-Id := "unauthorised" > > Termination-Action := RADIUS-Request > Session-Timeout := 300 > > Acct-Interim-Interval := 3600 > } > > if ((EAP-Message) && !(Ldap-UserDn)) { > cache_ldap-userdn > } > > lanwarden_vlan > if (!(control:Tunnel-Private-Group-Id) || > control:Tunnel-Private-Group-Id == "") { > if (Realm == "DEFAULT") { > update reply { > Tunnel-Private-Group-Id := "eduroam" > } > } > # to be removed once we register personal workstations > elsif (Realm == "%{config:local.MY.realm}") { > update reply { > Tunnel-Private-Group-Id := > "users-unmanaged" > } > } > } > else { > update reply { > Tunnel-Private-Group-Id := > "%{control:Tunnel-Private-Group-Id}" > } > } > if (reply:Tunnel-Private-Group-Id != "unauthorised") { > update reply { > # Cisco only support a max of 65535 > Session-Timeout := 64800 > } > } > > .... > } > ---- > > 'cache_ldap-userdn' you can find in the archives and the reasoning for > it, meanwhile lanwarden_vlan lurks in policy.conf and looks like: > ---- > lanwarden_vlan { > if ((control:Ldap-UserDn)) { > if ("%{md5:%{client:secret}%{Calling-Station-Id}%l}" =~ > /[0-7]$/) { > update control { > Tunnel-Private-Group-Id := > "%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}" > } > if (control:Tunnel-Private-Group-Id == "") { > update control { > Tunnel-Private-Group-Id := > "%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}" > } > } > } > else { > update control { > Tunnel-Private-Group-Id := > "%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}" > } > if (control:Tunnel-Private-Group-Id == "") { > update control { > Tunnel-Private-Group-Id := > "%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}" > } > } > } > } > } > ---- > > It looks horrible as xlat does *not* support failover. :( > > Cheers > > [1] http://www.digriz.org.uk/lanwarden > > -- > Alexander Clouter > .sigmonster says: You are so boring that when I see you my feet go to sleep. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html