EAP/PEAP, LDAP and Dynamic VLAN Assignment HOW-TO
Hi, i would make this architecture: - authentication EAP/PEAP with MS-CHAPv2 with users in LDAP database. Better with encrypted password, but not necessary. - Every users have an attribute or something to assign it a VLAN. I have OpenLDAP and Freeradius 1.1.3, the distributuion presents in CentOS 5. Is it possible? Some suggestions? -- Vincenzo Agosti Università degli Studi di Salerno Ufficio Sistemi Tecnologici Coordinamento Servizi Informatici Via Ponte don Melillo, s.n.c. 84084 - Fisciano (SA) Tel. +39 089 96 6101 - 9776 Fax +39 089 96 6368 - 9806 Cell. +39 335 427674 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : EAP/PEAP, LDAP and Dynamic VLAN Assignment HOW-TO
Hi, Hi, i would make this architecture: - authentication EAP/PEAP with MS-CHAPv2 with users in LDAP database. Better with encrypted password, but not necessary. Either: * use Clear-text passwords in the userpassword attribute * OR add an Ldap attribute that will hold the NTML hash version of the user password (with leading '0x'), then use ldap.attrmap to map NT-Password to your LDAP ntlm password attribute - Every users have an attribute or something to assign it a VLAN. You can use radiusReplyItem LDAP attribute OR create several radius profiles (one for each VLAN) and assign the one that corresponds to the user In the users file (for instance using LDAP-groups) I have OpenLDAP and Freeradius 1.1.3, the distributuion presents in CentOS 5. Is it possible? Some suggestions? Yes it is possible in several ways... Find your own... HTH, Thibault -- Vincenzo Agosti Università degli Studi di Salerno Ufficio Sistemi Tecnologici Coordinamento Servizi Informatici Via Ponte don Melillo, s.n.c. 84084 - Fisciano (SA) Tel. +39 089 96 6101 - 9776 Fax +39 089 96 6368 - 9806 Cell. +39 335 427674 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and Dynamic VLAN
Hello, I've a TTLS/PAP working configuration with dynamic VLAN allocation. Here's a sample of the users file : userX Crypt-Password == $1$ Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 4 At the authentication's end the NAS put the userX in the vlan 4. Now I'd like to do the same with user coming from LDAP storagebut I don't know where to begin : How can I get a group attribute from LDAP and match this with a VLAN id which will be send to the NAS ? Thanks. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and Dynamic VLAN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Montag, 21. Juni 2004 14:04 schrieb Christophe Saillard: Hello, I've a TTLS/PAP working configuration with dynamic VLAN allocation. Here's a sample of the users file : userX Crypt-Password == $1$ Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 4 At the authentication's end the NAS put the userX in the vlan 4. Now I'd like to do the same with user coming from LDAP storagebut I don't know where to begin : How can I get a group attribute from LDAP and match this with a VLAN id which will be send to the NAS ? Thanks. hi, You have to edit dictionary.tunnel (perhaps it is done already in 1.0.0pre2) VALUE Tunnel-Type VLAN13 VALUE Tunnel-Medium-Type IEEE-8026 and ldap.attrmap: replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId There is some good docu in the internet. - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA1tYCqndXpO3Yl5sRAjxfAKDUb130cLPnB4ijRrVdsKiwV7+BIgCglOsI FN+uT8r5TzZn4uTWPnz/I24= =kVHE -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
