Re: LDAP Group assign to vlan after AD user authentication
On 24 Jan 2012, at 09:05, NdK wrote: > Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto: > >>> But how do I set Tunnel-Private-Group-Id from an >>> exec-ed script? >> Just execute it using a backticks expansion, store the result in >> Tmp-String-0 then use regular expression matches over the result to figure >> out whether it contains a certain group or not. You may hit the maximum >> internal string size if the user is a member of lots of groups in which case >> the result would be silently truncated (just something to watch for). > Urgh! So easy! :) > >> Honestly doing it with LDAP would probably be significantly easier and >> faster. Exec is really quite slow... > Surely. But in some setups it's not possible to browse AD as an ldap > server. At least w/o leaving around username and password. That's a > no-no, unless you can create "service users" (which we can't :( ). > But this way we can put users on different VLANs w/o problems :) > Ah fair enough. Yes you do need a user to bind. > IIUC, post-auth exec should occour only once, right? > Yep. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 01/24/2012 08:48 AM, Arran Cudbard-Bell wrote: [snip] IIRC the LDAP Module is actually smart enough to figure out whether you passed in a DN as a group or just a groupname, so in theory if you have the filters and search depth set correctly you can just use Ldap-Group == "mygroup". -Arran [snip] Indeed the LDAP module is smart enough however from a optimisation point of view I prefer to enter the full DN of the group. This way only one query is performed on the LDAP tree. Otherwise it will do more queries to find what it needs. Rg, Arnaud - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto: >> But how do I set Tunnel-Private-Group-Id from an >> exec-ed script? > Just execute it using a backticks expansion, store the result in Tmp-String-0 > then use regular expression matches over the result to figure out whether it > contains a certain group or not. You may hit the maximum internal string size > if the user is a member of lots of groups in which case the result would be > silently truncated (just something to watch for). Urgh! So easy! :) > Honestly doing it with LDAP would probably be significantly easier and > faster. Exec is really quite slow... Surely. But in some setups it's not possible to browse AD as an ldap server. At least w/o leaving around username and password. That's a no-no, unless you can create "service users" (which we can't :( ). But this way we can put users on different VLANs w/o problems :) IIUC, post-auth exec should occour only once, right? Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 24 Jan 2012, at 08:23, NdK wrote:
> Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
>
>> But I reckon you could also do something like that in post-auth section
>> if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
>> update reply {
>>Tunnel-type = VLAN
>>Tunnel-medium-type = IEEE-802
>>Tunnel-Private-Group-Id = 1
>> }
>> }
> I think it could be possible to do the same using exec, a script and
> wbinfo... Just still don't know how.
> With
> for T in $(wbinfo --user-domgroups `wbinfo -n `) ; do
> wbinfo -s $T;
> done
> I can get all AD groups is into. Checking group membership
> would be even easier. But how do I set Tunnel-Private-Group-Id from an
> exec-ed script?
Just execute it using a backticks expansion, store the result in Tmp-String-0
then use regular expression matches over the result to figure out whether it
contains a certain group or not. You may hit the maximum internal string size
if the user is a member of lots of groups in which case the result would be
silently truncated (just something to watch for).
Honestly doing it with LDAP would probably be significantly easier and faster.
Exec is really quite slow...
IIRC the LDAP Module is actually smart enough to figure out whether you passed
in a DN as a group or just a groupname, so in theory if you have the filters
and search depth set correctly you can just use Ldap-Group == "mygroup".
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
> But I reckon you could also do something like that in post-auth section
> if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
> update reply {
> Tunnel-type = VLAN
> Tunnel-medium-type = IEEE-802
> Tunnel-Private-Group-Id = 1
> }
> }
I think it could be possible to do the same using exec, a script and
wbinfo... Just still don't know how.
With
for T in $(wbinfo --user-domgroups `wbinfo -n `) ; do
wbinfo -s $T;
done
I can get all AD groups is into. Checking group membership
would be even easier. But how do I set Tunnel-Private-Group-Id from an
exec-ed script?
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 01/19/2012 11:25 AM, James wrote:
Hi,
I've successfully set up a radius server to support 802.1x
authentication using peap mschapv2 and samba to authenticate users
against AD.
To do this I followed configuration on the freeradius.org website and
the AD integration howto on deployingradius.com, thank you very much
for writing these!
I now need to assign the vlan due to membership of some group in AD
and I understand that an ldap lookup is needed.
Where in the configuration do I check this group and map it to a vlan?
Can I do it as a default entry in the users file or is it needed
somewhere else?
Thank you very much,
James
Hi James,
I don't know anything about AD and I presume you are using the latest FR.
I'm currently testing an ldap-group check in authorize using unlang:
This is part of a switch statement:
case 'NAS-Prompt-User' {
my-ldap
#Check if user is member of a certain group
if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
update reply {
Service-Type := "Administrative-User"
}
}
#else DENY
else {
update control {
Auth-Type := reject
}
}
}
But I reckon you could also do something like that in post-auth section
if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
This works for me :) it might as well for AD.
Rg,
Arnaud
--
Stichting z25.org
Concordiastraat 67A
3551 EM Utrecht
The Netherlands
+31-(0)6-41861063
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Group assign to vlan after AD user authentication
Hi, I've successfully set up a radius server to support 802.1x authentication using peap mschapv2 and samba to authenticate users against AD. To do this I followed configuration on the freeradius.org website and the AD integration howto on deployingradius.com, thank you very much for writing these! I now need to assign the vlan due to membership of some group in AD and I understand that an ldap lookup is needed. Where in the configuration do I check this group and map it to a vlan? Can I do it as a default entry in the users file or is it needed somewhere else? Thank you very much, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
