Re: LDAP Group assign to vlan after AD user authentication
On 24 Jan 2012, at 09:05, NdK wrote: > Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto: > >>> But how do I set Tunnel-Private-Group-Id from an >>> exec-ed script? >> Just execute it using a backticks expansion, store the result in >> Tmp-String-0 then use regular expression matches over the result to figure >> out whether it contains a certain group or not. You may hit the maximum >> internal string size if the user is a member of lots of groups in which case >> the result would be silently truncated (just something to watch for). > Urgh! So easy! :) > >> Honestly doing it with LDAP would probably be significantly easier and >> faster. Exec is really quite slow... > Surely. But in some setups it's not possible to browse AD as an ldap > server. At least w/o leaving around username and password. That's a > no-no, unless you can create "service users" (which we can't :( ). > But this way we can put users on different VLANs w/o problems :) > Ah fair enough. Yes you do need a user to bind. > IIUC, post-auth exec should occour only once, right? > Yep. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 01/24/2012 08:48 AM, Arran Cudbard-Bell wrote: [snip] IIRC the LDAP Module is actually smart enough to figure out whether you passed in a DN as a group or just a groupname, so in theory if you have the filters and search depth set correctly you can just use Ldap-Group == "mygroup". -Arran [snip] Indeed the LDAP module is smart enough however from a optimisation point of view I prefer to enter the full DN of the group. This way only one query is performed on the LDAP tree. Otherwise it will do more queries to find what it needs. Rg, Arnaud - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto: >> But how do I set Tunnel-Private-Group-Id from an >> exec-ed script? > Just execute it using a backticks expansion, store the result in Tmp-String-0 > then use regular expression matches over the result to figure out whether it > contains a certain group or not. You may hit the maximum internal string size > if the user is a member of lots of groups in which case the result would be > silently truncated (just something to watch for). Urgh! So easy! :) > Honestly doing it with LDAP would probably be significantly easier and > faster. Exec is really quite slow... Surely. But in some setups it's not possible to browse AD as an ldap server. At least w/o leaving around username and password. That's a no-no, unless you can create "service users" (which we can't :( ). But this way we can put users on different VLANs w/o problems :) IIUC, post-auth exec should occour only once, right? Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 24 Jan 2012, at 08:23, NdK wrote: > Il 23/01/2012 14:48, Arnaud Loonstra ha scritto: > >> But I reckon you could also do something like that in post-auth section >> if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") { >> update reply { >>Tunnel-type = VLAN >>Tunnel-medium-type = IEEE-802 >>Tunnel-Private-Group-Id = 1 >> } >> } > I think it could be possible to do the same using exec, a script and > wbinfo... Just still don't know how. > With > for T in $(wbinfo --user-domgroups `wbinfo -n `) ; do > wbinfo -s $T; > done > I can get all AD groups is into. Checking group membership > would be even easier. But how do I set Tunnel-Private-Group-Id from an > exec-ed script? Just execute it using a backticks expansion, store the result in Tmp-String-0 then use regular expression matches over the result to figure out whether it contains a certain group or not. You may hit the maximum internal string size if the user is a member of lots of groups in which case the result would be silently truncated (just something to watch for). Honestly doing it with LDAP would probably be significantly easier and faster. Exec is really quite slow... IIRC the LDAP Module is actually smart enough to figure out whether you passed in a DN as a group or just a groupname, so in theory if you have the filters and search depth set correctly you can just use Ldap-Group == "mygroup". -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 23/01/2012 14:48, Arnaud Loonstra ha scritto: > But I reckon you could also do something like that in post-auth section > if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") { > update reply { > Tunnel-type = VLAN > Tunnel-medium-type = IEEE-802 > Tunnel-Private-Group-Id = 1 > } > } I think it could be possible to do the same using exec, a script and wbinfo... Just still don't know how. With for T in $(wbinfo --user-domgroups `wbinfo -n `) ; do wbinfo -s $T; done I can get all AD groups is into. Checking group membership would be even easier. But how do I set Tunnel-Private-Group-Id from an exec-ed script? BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
On 01/19/2012 11:25 AM, James wrote: Hi, I've successfully set up a radius server to support 802.1x authentication using peap mschapv2 and samba to authenticate users against AD. To do this I followed configuration on the freeradius.org website and the AD integration howto on deployingradius.com, thank you very much for writing these! I now need to assign the vlan due to membership of some group in AD and I understand that an ldap lookup is needed. Where in the configuration do I check this group and map it to a vlan? Can I do it as a default entry in the users file or is it needed somewhere else? Thank you very much, James Hi James, I don't know anything about AD and I presume you are using the latest FR. I'm currently testing an ldap-group check in authorize using unlang: This is part of a switch statement: case 'NAS-Prompt-User' { my-ldap #Check if user is member of a certain group if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") { update reply { Service-Type := "Administrative-User" } } #else DENY else { update control { Auth-Type := reject } } } But I reckon you could also do something like that in post-auth section if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 1 } } This works for me :) it might as well for AD. Rg, Arnaud -- Stichting z25.org Concordiastraat 67A 3551 EM Utrecht The Netherlands +31-(0)6-41861063 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Group assign to vlan after AD user authentication
Hi, I've successfully set up a radius server to support 802.1x authentication using peap mschapv2 and samba to authenticate users against AD. To do this I followed configuration on the freeradius.org website and the AD integration howto on deployingradius.com, thank you very much for writing these! I now need to assign the vlan due to membership of some group in AD and I understand that an ldap lookup is needed. Where in the configuration do I check this group and map it to a vlan? Can I do it as a default entry in the users file or is it needed somewhere else? Thank you very much, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html