Re: Dynamic Vlan Allocation based on LDAP Attribute Value
>>>I'm using version 1.1.3 so, I moved the "files" entry below the ldap >>>entry but my DEFAULT entry in the file: users does not match or return >>>any value. >>> >> >> You should upgrade. Did something else match in files? Post the debug. > >Stuck with this version for now. > >I have a "catchall" DEFAULT entry with no comparison which set the >vlan. But it didn't match on the userORGUNIT ldap attribute. value > Upgrade. Checking control:My-Attribute with unlang works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Tue, Feb 17, 2009 at 11:44 AM, wrote: >>I'm using version 1.1.3 so, I moved the "files" entry below the ldap >>entry but my DEFAULT entry in the file: users does not match or return >>any value. >> > > You should upgrade. Did something else match in files? Post the debug. Stuck with this version for now. I have a "catchall" DEFAULT entry with no comparison which set the vlan. But it didn't match on the userORGUNIT ldap attribute. value modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for asmith radius_xlat: '(&(objectClass=inetOrgPerson)(cn=asmith))' radius_xlat: 'o=sut' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=sut, with filter (&(objectClass=inetOrgPerson)(cn=asmith)) rlm_ldap: checking if remote access for asmith is allowed by userORGUNIT rlm_ldap: looking for check items in directory... rlm_ldap: Adding userORGUNIT as userORGUNIT, value ISITCP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user asmith authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 users: Matched entry DEFAULT at line 25 modcall[authorize]: module "files" returns ok for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 35 to xxx.xxx.xxx.xxx port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "226" EAP-Message = 0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e00 Message-Authenticator = 0x State = 0xb4d641b20399b8f92c0d9fb148763ead Finished request 2 Going to the next request The users file looks like: DEFAULT userORGUNIT == "ISITCP" tunnel-type = VLAN, tunnel-medium-type = IEEE-802, tunnel-private-group-ID = 5, Fall-Through = No DEFAULT tunnel-type = VLAN, tunnel-medium-type = IEEE-802, tunnel-private-group-ID = 226, Fall-Through = No > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
>I'm using version 1.1.3 so, I moved the "files" entry below the ldap >entry but my DEFAULT entry in the file: users does not match or return >any value. > You should upgrade. Did something else match in files? Post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Tue, Feb 17, 2009 at 11:04 AM, wrote: Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like "ITISCP" and "ENISCP". I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). >>> >>> No. You can define your own attribute (let's say VLAN-Flag) in >>> raddb/dictionary and use unlang in authorize section to test and set >>> tunnel attributes. >> >>Thanks Ivan, >> >>I've configured a dictionary value "userORGUNIT" and added a >>ldap.attrmap mapping. I've tried to perform a comparison operation >>on the value of userORGUNIT in the config file: users. >> >>i.e DEFAULT userORGUNIT == "HR" >> Tunnel-Private-Group-Id = "226" >> >>But this does not match, even though debug shows "rlm_ldap: Adding >>userORGUNIT as userORGUNIT, value HR & op=21" >> >>Is this the correct location for these comparison operations? There >>are around 50 userORGUNIT''s that I need to compare against. >> > > Files are normally listed before ldap in authorize. Use unlang switch > command *after* ldap entry. Or list files after ldap if you are using an > old version. Ivan, I'm using version 1.1.3 so, I moved the "files" entry below the ldap entry but my DEFAULT entry in the file: users does not match or return any value. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
>>>Am I correct in saying that the LDAP-attribute that is mapped to >>>Tunnel-Private-Group-ID would need to be set to the value of the the >>>VLAN I require? The LDAP-attribute that I wish to use curently >>>contains values like "ITISCP" and "ENISCP". I want to say if >>>attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID >>>= 226). Using ldap.attrmap mappings I would need to store the >>>required vlan in a LDAP attribute. (I can't change the LDAP only read >>>it). >>> >> >> No. You can define your own attribute (let's say VLAN-Flag) in >> raddb/dictionary and use unlang in authorize section to test and set >> tunnel attributes. > >Thanks Ivan, > >I've configured a dictionary value "userORGUNIT" and added a >ldap.attrmap mapping. I've tried to perform a comparison operation >on the value of userORGUNIT in the config file: users. > >i.e DEFAULT userORGUNIT == "HR" > Tunnel-Private-Group-Id = "226" > >But this does not match, even though debug shows "rlm_ldap: Adding >userORGUNIT as userORGUNIT, value HR & op=21" > >Is this the correct location for these comparison operations? There >are around 50 userORGUNIT''s that I need to compare against. > Files are normally listed before ldap in authorize. Use unlang switch command *after* ldap entry. Or list files after ldap if you are using an old version. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Tue, Feb 17, 2009 at 9:50 AM, wrote: >>Am I correct in saying that the LDAP-attribute that is mapped to >>Tunnel-Private-Group-ID would need to be set to the value of the the >>VLAN I require? The LDAP-attribute that I wish to use curently >>contains values like "ITISCP" and "ENISCP". I want to say if >>attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID >>= 226). Using ldap.attrmap mappings I would need to store the >>required vlan in a LDAP attribute. (I can't change the LDAP only read >>it). >> > > No. You can define your own attribute (let's say VLAN-Flag) in > raddb/dictionary and use unlang in authorize section to test and set > tunnel attributes. Thanks Ivan, I've configured a dictionary value "userORGUNIT" and added a ldap.attrmap mapping. I've tried to perform a comparison operation on the value of userORGUNIT in the config file: users. i.e DEFAULT userORGUNIT == "HR" Tunnel-Private-Group-Id = "226" But this does not match, even though debug shows "rlm_ldap: Adding userORGUNIT as userORGUNIT, value HR & op=21" Is this the correct location for these comparison operations? There are around 50 userORGUNIT''s that I need to compare against. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
>Am I correct in saying that the LDAP-attribute that is mapped to >Tunnel-Private-Group-ID would need to be set to the value of the the >VLAN I require? The LDAP-attribute that I wish to use curently >contains values like "ITISCP" and "ENISCP". I want to say if >attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID >= 226). Using ldap.attrmap mappings I would need to store the >required vlan in a LDAP attribute. (I can't change the LDAP only read >it). > No. You can define your own attribute (let's say VLAN-Flag) in raddb/dictionary and use unlang in authorize section to test and set tunnel attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
> >I have a value set for an attribute in LDAP, how do I "extract" the >value from the attribute and do a comparison on it in the users file >so I can set the VLAN? > ldap.attrmap file in raddb directory. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: > On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff > > wrote: > > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: > >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff > >> > >> wrote: > >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: > >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff > >> >> > >> >> wrote: > >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: > >> >> >> I have a working radius server (ver 1.1.3). which I am using for > >> >> >> 802.1x authentication of wired switch ports. I would like to > >> >> >> dynamically assign users vlans. I have cisco gear and have > >> >> >> achieved basic vlan allocation by configuring a Default entry in > >> >> >> the users file. So the vlan allocation part works ok. > >> >> >> > >> >> >> What I want to be able to do is allocate the vlan by matching the > >> >> >> value of an LDAP attribute. Not by group membership, but the > >> >> >> actual value of a users attribute. Is this possible? > >> >> >> > >> >> >> Cheers, > >> >> >> Dealy > >> >> > > >> >> > Yes. Just assign these attributes to the user object in LDAP. > >> >> > >> >> I have a value set for an attribute in LDAP, how do I "extract" the > >> >> value from the attribute and do a comparison on it in the users file > >> >> so I can set the VLAN? > >> > > >> > Hi, > >> > > >> > I don't remember exactly what I did on version 1. Please see: > >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html > >> > for some hints. > >> > > >> > I had something like > >> > > >> > DEFAULT Auth-Type .= LDAP > >> >Reply-Message = "Auth by LADP" > >> > > >> > in my users file. Other attributes stored in an object of objectClass > >> > radiusprofile should be added automatically to the Reply attributes. > >> > >> I don't actually want to add radiusprofile attributes to my LDAP. The > >> users already have an attribute which identifies their department. I > >> want to be able to say if "department attribute = X then allocate VLAN > >> Y". Can this be done without specifically setting the vlan etc as > >> radiusprofile attributes. Also I am not using ldap for the > >> authentication, just authorization. The authentication is done using > >> ntlm_auth. > > > > Then you would habe to re-map some LDAP-attribute of your objectClass to > > Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and > > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the > > users file. > > > > Please see the ldap.attrmap in your raddb dir for the mapping of > > attributes. > > Am I correct in saying that the LDAP-attribute that is mapped to > Tunnel-Private-Group-ID would need to be set to the value of the the > VLAN I require? The LDAP-attribute that I wish to use curently > contains values like "ITISCP" and "ENISCP". I want to say if > attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID > = 226). Using ldap.attrmap mappings I would need to store the > required vlan in a LDAP attribute. (I can't change the LDAP only read > it). > > Cheers > > > Greetings, > > > > -- > > Dr. Michael Schwartzkopff > > MultiNET Services GmbH > > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany > > Tel: +49 - 89 - 45 69 11 0 > > Fax: +49 - 89 - 45 69 11 21 > > mob: +49 - 174 - 343 28 75 > > > > mail: mi...@multinet.de > > web: www.multinet.de > > > > Sitz der Gesellschaft: 85630 Grasbrunn > > Registergericht: Amtsgericht München HRB 114375 > > Geschäftsführer: Günter Jurgeneit, Hubert Martens > > > > --- > > > > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B > > Skype: misch42 > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html See also: http://www.linux-magazine.com/issue/52/Freeradius_802.1X.pdf -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 13:39:49 schrieb Paul Dealy: > On Fri, Feb 13, 2009 at 11:22 PM, Michael Schwartzkopff > > wrote: > > Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: > >> On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff > >> > >> wrote: > >> > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: > >> >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff > >> >> > >> >> wrote: > >> >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: > >> >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff > >> >> >> > >> >> >> wrote: > >> >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: > >> >> >> >> I have a working radius server (ver 1.1.3). which I am using > >> >> >> >> for 802.1x authentication of wired switch ports. I would like > >> >> >> >> to dynamically assign users vlans. I have cisco gear and have > >> >> >> >> achieved basic vlan allocation by configuring a Default entry > >> >> >> >> in the users file. So the vlan allocation part works ok. > >> >> >> >> > >> >> >> >> What I want to be able to do is allocate the vlan by matching > >> >> >> >> the value of an LDAP attribute. Not by group membership, but > >> >> >> >> the actual value of a users attribute. Is this possible? > >> >> >> >> > >> >> >> >> Cheers, > >> >> >> >> Dealy > >> >> >> > > >> >> >> > Yes. Just assign these attributes to the user object in LDAP. > >> >> >> > >> >> >> I have a value set for an attribute in LDAP, how do I "extract" > >> >> >> the value from the attribute and do a comparison on it in the > >> >> >> users file so I can set the VLAN? > >> >> > > >> >> > Hi, > >> >> > > >> >> > I don't remember exactly what I did on version 1. Please see: > >> >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html > >> >> > for some hints. > >> >> > > >> >> > I had something like > >> >> > > >> >> > DEFAULT Auth-Type .= LDAP > >> >> >Reply-Message = "Auth by LADP" > >> >> > > >> >> > in my users file. Other attributes stored in an object of > >> >> > objectClass radiusprofile should be added automatically to the > >> >> > Reply attributes. > >> >> > >> >> I don't actually want to add radiusprofile attributes to my LDAP. > >> >> The users already have an attribute which identifies their > >> >> department. I want to be able to say if "department attribute = X > >> >> then allocate VLAN Y". Can this be done without specifically setting > >> >> the vlan etc as radiusprofile attributes. Also I am not using ldap > >> >> for the > >> >> authentication, just authorization. The authentication is done using > >> >> ntlm_auth. > >> > > >> > Then you would habe to re-map some LDAP-attribute of your objectClass > >> > to Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and > >> > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the > >> > users file. > >> > > >> > Please see the ldap.attrmap in your raddb dir for the mapping of > >> > attributes. > >> > >> Am I correct in saying that the LDAP-attribute that is mapped to > >> Tunnel-Private-Group-ID would need to be set to the value of the the > >> VLAN I require? The LDAP-attribute that I wish to use curently > >> contains values like "ITISCP" and "ENISCP". I want to say if > >> attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID > >> = 226). Using ldap.attrmap mappings I would need to store the > >> required vlan in a LDAP attribute. (I can't change the LDAP only read > >> it). > > > > Even more complicated. Sorry., I did not read your previous mail > > completely. > > > > Sending the department attribute (i.e. "ITISCP") might work if the switch > > understand it and can map it to the correct VLAN numbers. As fas as I > > know, this can be done with Cisco. On other switches you have to see in > > the user manual if you can attach names to VLANs. > > > > Otherwise you would have to add a new ou=profiles with severeal > > cn= of the objectClass radiusprofile. This radiusprofile would > > indicate the correct VLAN number. > > > > Then you could use the profile_attribute of the ldap module to point to > > the correct LDAP attribute of the user object that points to the correct > > attribute. But you would have to fill that attribute manually with > > something like: > > cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org > > > > Perhaps it is better to do that automated by scripting deducted from the > > department attribute every hour. But when you start scripting that you > > also could deduct the VLAN number fro mthe department and fill this into > > a attribute of the user itself and change ldap.attrmap pointing to that > > attribute. > > > > Greetings, > > -- > > Dr. Michael Schwartzkopff > > MultiNET Services GmbH > > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany > > Tel: +49 - 89 - 45 69 11 0 > > Fax: +49 - 89 - 45 69 11 21 > > mob: +49 - 174 - 343 28 75 > > > > mail: mi...@multinet.de > > web: www.multinet.de > > > > Sitz der Gesellschaft: 85630 Grasbrunn >
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Fri, Feb 13, 2009 at 11:22 PM, Michael Schwartzkopff wrote: > Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: >> On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff >> >> wrote: >> > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: >> >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff >> >> >> >> wrote: >> >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: >> >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff >> >> >> >> >> >> wrote: >> >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: >> >> >> >> I have a working radius server (ver 1.1.3). which I am using for >> >> >> >> 802.1x authentication of wired switch ports. I would like to >> >> >> >> dynamically assign users vlans. I have cisco gear and have >> >> >> >> achieved basic vlan allocation by configuring a Default entry in >> >> >> >> the users file. So the vlan allocation part works ok. >> >> >> >> >> >> >> >> What I want to be able to do is allocate the vlan by matching the >> >> >> >> value of an LDAP attribute. Not by group membership, but the >> >> >> >> actual value of a users attribute. Is this possible? >> >> >> >> >> >> >> >> Cheers, >> >> >> >> Dealy >> >> >> > >> >> >> > Yes. Just assign these attributes to the user object in LDAP. >> >> >> >> >> >> I have a value set for an attribute in LDAP, how do I "extract" the >> >> >> value from the attribute and do a comparison on it in the users file >> >> >> so I can set the VLAN? >> >> > >> >> > Hi, >> >> > >> >> > I don't remember exactly what I did on version 1. Please see: >> >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html >> >> > for some hints. >> >> > >> >> > I had something like >> >> > >> >> > DEFAULT Auth-Type .= LDAP >> >> >Reply-Message = "Auth by LADP" >> >> > >> >> > in my users file. Other attributes stored in an object of objectClass >> >> > radiusprofile should be added automatically to the Reply attributes. >> >> >> >> I don't actually want to add radiusprofile attributes to my LDAP. The >> >> users already have an attribute which identifies their department. I >> >> want to be able to say if "department attribute = X then allocate VLAN >> >> Y". Can this be done without specifically setting the vlan etc as >> >> radiusprofile attributes. Also I am not using ldap for the >> >> authentication, just authorization. The authentication is done using >> >> ntlm_auth. >> > >> > Then you would habe to re-map some LDAP-attribute of your objectClass to >> > Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and >> > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the >> > users file. >> > >> > Please see the ldap.attrmap in your raddb dir for the mapping of >> > attributes. >> >> Am I correct in saying that the LDAP-attribute that is mapped to >> Tunnel-Private-Group-ID would need to be set to the value of the the >> VLAN I require? The LDAP-attribute that I wish to use curently >> contains values like "ITISCP" and "ENISCP". I want to say if >> attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID >> = 226). Using ldap.attrmap mappings I would need to store the >> required vlan in a LDAP attribute. (I can't change the LDAP only read >> it). > > Even more complicated. Sorry., I did not read your previous mail completely. > > Sending the department attribute (i.e. "ITISCP") might work if the switch > understand it and can map it to the correct VLAN numbers. As fas as I know, > this can be done with Cisco. On other switches you have to see in the user > manual if you can attach names to VLANs. > > Otherwise you would have to add a new ou=profiles with severeal cn= > of > the objectClass radiusprofile. This radiusprofile would indicate the correct > VLAN number. > > Then you could use the profile_attribute of the ldap module to point to the > correct LDAP attribute of the user object that points to the correct > attribute. But you would have to fill that attribute manually with something > like: > cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org > > Perhaps it is better to do that automated by scripting deducted from the > department attribute every hour. But when you start scripting that you also > could deduct the VLAN number fro mthe department and fill this into a > attribute > of the user itself and change ldap.attrmap pointing to that attribute. > > Greetings, > -- > Dr. Michael Schwartzkopff > MultiNET Services GmbH > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany > Tel: +49 - 89 - 45 69 11 0 > Fax: +49 - 89 - 45 69 11 21 > mob: +49 - 174 - 343 28 75 > > mail: mi...@multinet.de > web: www.multinet.de > > Sitz der Gesellschaft: 85630 Grasbrunn > Registergericht: Amtsgericht München HRB 114375 > Geschäftsführer: Günter Jurgeneit, Hubert Martens > > --- > > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B > Skype: misch42 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Thanks for
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy:
> On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff
>
> wrote:
> > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy:
> >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff
> >>
> >> wrote:
> >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy:
> >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff
> >> >>
> >> >> wrote:
> >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy:
> >> >> >> I have a working radius server (ver 1.1.3). which I am using for
> >> >> >> 802.1x authentication of wired switch ports. I would like to
> >> >> >> dynamically assign users vlans. I have cisco gear and have
> >> >> >> achieved basic vlan allocation by configuring a Default entry in
> >> >> >> the users file. So the vlan allocation part works ok.
> >> >> >>
> >> >> >> What I want to be able to do is allocate the vlan by matching the
> >> >> >> value of an LDAP attribute. Not by group membership, but the
> >> >> >> actual value of a users attribute. Is this possible?
> >> >> >>
> >> >> >> Cheers,
> >> >> >> Dealy
> >> >> >
> >> >> > Yes. Just assign these attributes to the user object in LDAP.
> >> >>
> >> >> I have a value set for an attribute in LDAP, how do I "extract" the
> >> >> value from the attribute and do a comparison on it in the users file
> >> >> so I can set the VLAN?
> >> >
> >> > Hi,
> >> >
> >> > I don't remember exactly what I did on version 1. Please see:
> >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html
> >> > for some hints.
> >> >
> >> > I had something like
> >> >
> >> > DEFAULT Auth-Type .= LDAP
> >> >Reply-Message = "Auth by LADP"
> >> >
> >> > in my users file. Other attributes stored in an object of objectClass
> >> > radiusprofile should be added automatically to the Reply attributes.
> >>
> >> I don't actually want to add radiusprofile attributes to my LDAP. The
> >> users already have an attribute which identifies their department. I
> >> want to be able to say if "department attribute = X then allocate VLAN
> >> Y". Can this be done without specifically setting the vlan etc as
> >> radiusprofile attributes. Also I am not using ldap for the
> >> authentication, just authorization. The authentication is done using
> >> ntlm_auth.
> >
> > Then you would habe to re-map some LDAP-attribute of your objectClass to
> > Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and
> > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the
> > users file.
> >
> > Please see the ldap.attrmap in your raddb dir for the mapping of
> > attributes.
>
> Am I correct in saying that the LDAP-attribute that is mapped to
> Tunnel-Private-Group-ID would need to be set to the value of the the
> VLAN I require? The LDAP-attribute that I wish to use curently
> contains values like "ITISCP" and "ENISCP". I want to say if
> attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID
> = 226). Using ldap.attrmap mappings I would need to store the
> required vlan in a LDAP attribute. (I can't change the LDAP only read
> it).
>
> Cheers
Hi,
forget my last mail. I did not think to the end.
Create a radiusprofile Object, fill in the correct VLAN values for the
depertments and setup group membership to your needs accoding to section
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)
(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
(uniquemember=%{control:Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
Then the group points to the department and the radiusprofile object of that
department adds the correct VLAN number.
--
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75
mail: mi...@multinet.de
web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: > On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff > > wrote: > > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: > >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff > >> > >> wrote: > >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: > >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff > >> >> > >> >> wrote: > >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: > >> >> >> I have a working radius server (ver 1.1.3). which I am using for > >> >> >> 802.1x authentication of wired switch ports. I would like to > >> >> >> dynamically assign users vlans. I have cisco gear and have > >> >> >> achieved basic vlan allocation by configuring a Default entry in > >> >> >> the users file. So the vlan allocation part works ok. > >> >> >> > >> >> >> What I want to be able to do is allocate the vlan by matching the > >> >> >> value of an LDAP attribute. Not by group membership, but the > >> >> >> actual value of a users attribute. Is this possible? > >> >> >> > >> >> >> Cheers, > >> >> >> Dealy > >> >> > > >> >> > Yes. Just assign these attributes to the user object in LDAP. > >> >> > >> >> I have a value set for an attribute in LDAP, how do I "extract" the > >> >> value from the attribute and do a comparison on it in the users file > >> >> so I can set the VLAN? > >> > > >> > Hi, > >> > > >> > I don't remember exactly what I did on version 1. Please see: > >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html > >> > for some hints. > >> > > >> > I had something like > >> > > >> > DEFAULT Auth-Type .= LDAP > >> >Reply-Message = "Auth by LADP" > >> > > >> > in my users file. Other attributes stored in an object of objectClass > >> > radiusprofile should be added automatically to the Reply attributes. > >> > >> I don't actually want to add radiusprofile attributes to my LDAP. The > >> users already have an attribute which identifies their department. I > >> want to be able to say if "department attribute = X then allocate VLAN > >> Y". Can this be done without specifically setting the vlan etc as > >> radiusprofile attributes. Also I am not using ldap for the > >> authentication, just authorization. The authentication is done using > >> ntlm_auth. > > > > Then you would habe to re-map some LDAP-attribute of your objectClass to > > Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and > > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the > > users file. > > > > Please see the ldap.attrmap in your raddb dir for the mapping of > > attributes. > > Am I correct in saying that the LDAP-attribute that is mapped to > Tunnel-Private-Group-ID would need to be set to the value of the the > VLAN I require? The LDAP-attribute that I wish to use curently > contains values like "ITISCP" and "ENISCP". I want to say if > attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID > = 226). Using ldap.attrmap mappings I would need to store the > required vlan in a LDAP attribute. (I can't change the LDAP only read > it). Even more complicated. Sorry., I did not read your previous mail completely. Sending the department attribute (i.e. "ITISCP") might work if the switch understand it and can map it to the correct VLAN numbers. As fas as I know, this can be done with Cisco. On other switches you have to see in the user manual if you can attach names to VLANs. Otherwise you would have to add a new ou=profiles with severeal cn= of the objectClass radiusprofile. This radiusprofile would indicate the correct VLAN number. Then you could use the profile_attribute of the ldap module to point to the correct LDAP attribute of the user object that points to the correct attribute. But you would have to fill that attribute manually with something like: cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org Perhaps it is better to do that automated by scripting deducted from the department attribute every hour. But when you start scripting that you also could deduct the VLAN number fro mthe department and fill this into a attribute of the user itself and change ldap.attrmap pointing to that attribute. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff wrote: > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff >> >> wrote: >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff >> >> >> >> wrote: >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: >> >> >> I have a working radius server (ver 1.1.3). which I am using for >> >> >> 802.1x authentication of wired switch ports. I would like to >> >> >> dynamically assign users vlans. I have cisco gear and have achieved >> >> >> basic vlan allocation by configuring a Default entry in the users >> >> >> file. So the vlan allocation part works ok. >> >> >> >> >> >> What I want to be able to do is allocate the vlan by matching the >> >> >> value of an LDAP attribute. Not by group membership, but the actual >> >> >> value of a users attribute. Is this possible? >> >> >> >> >> >> Cheers, >> >> >> Dealy >> >> > >> >> > Yes. Just assign these attributes to the user object in LDAP. >> >> >> >> I have a value set for an attribute in LDAP, how do I "extract" the >> >> value from the attribute and do a comparison on it in the users file >> >> so I can set the VLAN? >> > >> > Hi, >> > >> > I don't remember exactly what I did on version 1. Please see: >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html >> > for some hints. >> > >> > I had something like >> > >> > DEFAULT Auth-Type .= LDAP >> >Reply-Message = "Auth by LADP" >> > >> > in my users file. Other attributes stored in an object of objectClass >> > radiusprofile should be added automatically to the Reply attributes. >> >> I don't actually want to add radiusprofile attributes to my LDAP. The >> users already have an attribute which identifies their department. I >> want to be able to say if "department attribute = X then allocate VLAN >> Y". Can this be done without specifically setting the vlan etc as >> radiusprofile attributes. Also I am not using ldap for the >> authentication, just authorization. The authentication is done using >> ntlm_auth. > > Then you would habe to re-map some LDAP-attribute of your objectClass to > Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and Tunnel-Medium-Type=IEEE-802 > could be set in the DEFAULT section of the users file. > > Please see the ldap.attrmap in your raddb dir for the mapping of attributes. Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like "ITISCP" and "ENISCP". I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). Cheers > > Greetings, > > -- > Dr. Michael Schwartzkopff > MultiNET Services GmbH > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany > Tel: +49 - 89 - 45 69 11 0 > Fax: +49 - 89 - 45 69 11 21 > mob: +49 - 174 - 343 28 75 > > mail: mi...@multinet.de > web: www.multinet.de > > Sitz der Gesellschaft: 85630 Grasbrunn > Registergericht: Amtsgericht München HRB 114375 > Geschäftsführer: Günter Jurgeneit, Hubert Martens > > --- > > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B > Skype: misch42 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: > On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff > > wrote: > > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: > >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff > >> > >> wrote: > >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: > >> >> I have a working radius server (ver 1.1.3). which I am using for > >> >> 802.1x authentication of wired switch ports. I would like to > >> >> dynamically assign users vlans. I have cisco gear and have achieved > >> >> basic vlan allocation by configuring a Default entry in the users > >> >> file. So the vlan allocation part works ok. > >> >> > >> >> What I want to be able to do is allocate the vlan by matching the > >> >> value of an LDAP attribute. Not by group membership, but the actual > >> >> value of a users attribute. Is this possible? > >> >> > >> >> Cheers, > >> >> Dealy > >> > > >> > Yes. Just assign these attributes to the user object in LDAP. > >> > >> I have a value set for an attribute in LDAP, how do I "extract" the > >> value from the attribute and do a comparison on it in the users file > >> so I can set the VLAN? > > > > Hi, > > > > I don't remember exactly what I did on version 1. Please see: > > http://vuksan.com/linux/dot1x/802-1x-LDAP.html > > for some hints. > > > > I had something like > > > > DEFAULT Auth-Type .= LDAP > >Reply-Message = "Auth by LADP" > > > > in my users file. Other attributes stored in an object of objectClass > > radiusprofile should be added automatically to the Reply attributes. > > I don't actually want to add radiusprofile attributes to my LDAP. The > users already have an attribute which identifies their department. I > want to be able to say if "department attribute = X then allocate VLAN > Y". Can this be done without specifically setting the vlan etc as > radiusprofile attributes. Also I am not using ldap for the > authentication, just authorization. The authentication is done using > ntlm_auth. Then you would habe to re-map some LDAP-attribute of your objectClass to Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the users file. Please see the ldap.attrmap in your raddb dir for the mapping of attributes. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff wrote: > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff >> >> wrote: >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: >> >> I have a working radius server (ver 1.1.3). which I am using for >> >> 802.1x authentication of wired switch ports. I would like to >> >> dynamically assign users vlans. I have cisco gear and have achieved >> >> basic vlan allocation by configuring a Default entry in the users >> >> file. So the vlan allocation part works ok. >> >> >> >> What I want to be able to do is allocate the vlan by matching the >> >> value of an LDAP attribute. Not by group membership, but the actual >> >> value of a users attribute. Is this possible? >> >> >> >> Cheers, >> >> Dealy >> > >> > Yes. Just assign these attributes to the user object in LDAP. >> >> I have a value set for an attribute in LDAP, how do I "extract" the >> value from the attribute and do a comparison on it in the users file >> so I can set the VLAN? > > Hi, > > I don't remember exactly what I did on version 1. Please see: > http://vuksan.com/linux/dot1x/802-1x-LDAP.html > for some hints. > > I had something like > > DEFAULT Auth-Type .= LDAP >Reply-Message = "Auth by LADP" > > in my users file. Other attributes stored in an object of objectClass > radiusprofile should be added automatically to the Reply attributes. I don't actually want to add radiusprofile attributes to my LDAP. The users already have an attribute which identifies their department. I want to be able to say if "department attribute = X then allocate VLAN Y". Can this be done without specifically setting the vlan etc as radiusprofile attributes. Also I am not using ldap for the authentication, just authorization. The authentication is done using ntlm_auth. > > It is much simpler in verison 2 of FreeRADIUS. It nearly works out of the box. > Just uncomment the ldap part in authorization and authentication sections. > > Greetings, > > > -- > Dr. Michael Schwartzkopff > MultiNET Services GmbH > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany > Tel: +49 - 89 - 45 69 11 0 > Fax: +49 - 89 - 45 69 11 21 > mob: +49 - 174 - 343 28 75 > > mail: mi...@multinet.de > web: www.multinet.de > > Sitz der Gesellschaft: 85630 Grasbrunn > Registergericht: Amtsgericht München HRB 114375 > Geschäftsführer: Günter Jurgeneit, Hubert Martens > > --- > > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B > Skype: misch42 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: > On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff > > wrote: > > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: > >> I have a working radius server (ver 1.1.3). which I am using for > >> 802.1x authentication of wired switch ports. I would like to > >> dynamically assign users vlans. I have cisco gear and have achieved > >> basic vlan allocation by configuring a Default entry in the users > >> file. So the vlan allocation part works ok. > >> > >> What I want to be able to do is allocate the vlan by matching the > >> value of an LDAP attribute. Not by group membership, but the actual > >> value of a users attribute. Is this possible? > >> > >> Cheers, > >> Dealy > > > > Yes. Just assign these attributes to the user object in LDAP. > > I have a value set for an attribute in LDAP, how do I "extract" the > value from the attribute and do a comparison on it in the users file > so I can set the VLAN? Hi, I don't remember exactly what I did on version 1. Please see: http://vuksan.com/linux/dot1x/802-1x-LDAP.html for some hints. I had something like DEFAULT Auth-Type .= LDAP Reply-Message = "Auth by LADP" in my users file. Other attributes stored in an object of objectClass radiusprofile should be added automatically to the Reply attributes. It is much simpler in verison 2 of FreeRADIUS. It nearly works out of the box. Just uncomment the ldap part in authorization and authentication sections. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff wrote: > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: >> I have a working radius server (ver 1.1.3). which I am using for >> 802.1x authentication of wired switch ports. I would like to >> dynamically assign users vlans. I have cisco gear and have achieved >> basic vlan allocation by configuring a Default entry in the users >> file. So the vlan allocation part works ok. >> >> What I want to be able to do is allocate the vlan by matching the >> value of an LDAP attribute. Not by group membership, but the actual >> value of a users attribute. Is this possible? >> >> Cheers, >> Dealy > > Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I "extract" the value from the attribute and do a comparison on it in the users file so I can set the VLAN? > > > -- > Dr. Michael Schwartzkopff > MultiNET Services GmbH > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany > Tel: +49 - 89 - 45 69 11 0 > Fax: +49 - 89 - 45 69 11 21 > mob: +49 - 174 - 343 28 75 > > mail: mi...@multinet.de > web: www.multinet.de > > Sitz der Gesellschaft: 85630 Grasbrunn > Registergericht: Amtsgericht München HRB 114375 > Geschäftsführer: Günter Jurgeneit, Hubert Martens > > --- > > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B > Skype: misch42 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: > I have a working radius server (ver 1.1.3). which I am using for > 802.1x authentication of wired switch ports. I would like to > dynamically assign users vlans. I have cisco gear and have achieved > basic vlan allocation by configuring a Default entry in the users > file. So the vlan allocation part works ok. > > What I want to be able to do is allocate the vlan by matching the > value of an LDAP attribute. Not by group membership, but the actual > value of a users attribute. Is this possible? > > Cheers, > Dealy Yes. Just assign these attributes to the user object in LDAP. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
