Setting VLAN based on ldap attribute id
Hi, I've been reading the mailing list for a few days and tried to see if there are any posts resempling mine. There are a few almost but noting that has got me that final step. Currently i have a radius server authenticating with ntlm to an AD. What I wan't now, is to assign a VLAN to the user based on ExtensionAttribute1, which is set to a numeric value which represents the VLAN id. E.g. 1001 I am currently messing with sites-enabled/default in the post-auth section where I try to set Tunnel-Private-Group-Id to the number they have in their attribute, but I have no clue on how to link that. Please help. -- Med venlig hilsen / With best regards Thomas Andersen Systems and Network Administrator IT University in Copenhagen Rued Langgaards Vej 7 2300 København S Phone: +45 72185249 **NEVER DISCLOSE YOUR PASSWORD OR SHOE SIZE - NOT EVEN TO YOUR DENTIST** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting VLAN based on ldap attribute id
On 20 Jun 2013, at 13:25, Thomas Hermarij Maimann Andersen t...@itu.dk wrote:
Hi,
I've been reading the mailing list for a few days and tried to see if there
are any posts resempling mine. There are a few almost but noting that has
got me that final step.
Currently i have a radius server authenticating with ntlm to an AD.
What I wan't now, is to assign a VLAN to the user based on
ExtensionAttribute1, which is set to a numeric value which represents the
VLAN id. E.g. 1001
I am currently messing with sites-enabled/default in the post-auth section
where I try to set Tunnel-Private-Group-Id to the number they have in their
attribute, but I have no clue on how to link that.
Use git HEAD:
https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/ldap#L55
There's an example of setting the the VLAN in the default configuration.
In post-auth you can add something like
if (reply:Tunnel-Private-Group-ID) {
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
}
Or in v2 you can use the attrmap file (and the above). Or the above and LDAP
xlat.
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attribute mapping
Phil Mayers wrote:
+1
Personally I'd rather the latter format everywhere, even unlang:
update {
request:foo = 1
}
Yeah. That shouldn't be hard. Maybe I can look at it in 2 weeks,
after IETF.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attribute mapping
or...
update [default list] {
...
}
update reply {
config:Auth-Type = Reject
Reply-Message = Go away
}
That one gets my vote.
update {
}
defaults to request.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP attribute mapping
Quick poll.
For 3.0 the ldap module will be moving away from using the ldap.attrmap file
and instead use a config based mapping.
There are a few ways we are considering for organising the mapping.
We can use something like the existing unlang:
update control {
Cleartext-Password := userpassword
}
update reply {
User-Name = radiusUserName
}
update outer.reply {
Reply-Message = radiusReplyMessage
}
Or something like rlm_rest and rlm_cache:
update {
control:Cleartext-Password := userpassword
reply:User-Name = radiusUserName
reply.outer:User-Name = radiusUserName
}
It really depends on whether people are actually using the full ldap.attrmap,
or whether they're just pulling out one or two attributes. Each approach is as
efficient as the other performance wise, so it comes down to which one people
prefer.
Any thoughts?
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attribute mapping
I pull out only the attributes I need and change ldap.attrmap to match my
schema. Personally, I can live with either config method.
Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
Quick poll.
For 3.0 the ldap module will be moving away from using the ldap.attrmap file
and instead use a config based mapping.
There are a few ways we are considering for organising the mapping.
We can use something like the existing unlang:
update control {
Cleartext-Password := userpassword
}
update reply {
User-Name = radiusUserName
}
update outer.reply {
Reply-Message = radiusReplyMessage
}
Or something like rlm_rest and rlm_cache:
update {
control:Cleartext-Password := userpassword
reply:User-Name = radiusUserName
reply.outer:User-Name = radiusUserName
}
It really depends on whether people are actually using the full ldap.attrmap,
or whether they're just pulling out one or two attributes. Each approach is as
efficient as the other performance wise, so it comes down to which one people
prefer.
Any thoughts?
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attribute mapping
On 10/30/2012 06:38 AM, Arran Cudbard-Bell wrote: Quick poll. For 3.0 the ldap module will be moving away from using the ldap.attrmap file and instead use a config based mapping. There are a few ways we are considering for organising the mapping. We can use something like the existing unlang: Or something like rlm_rest and rlm_cache: It really depends on whether people are actually using the full ldap.attrmap, or whether they're just pulling out one or two attributes. Each approach is as efficient as the other performance wise, so it comes down to which one people prefer. Any thoughts? What I'd like to see is the individual modules converging on common behavior so there is a consistent model. I suspect a number of the modules were written independently and contributed, their diverse heritage makes for some awkwardness when viewing the totality of FreeRADIUS. If rlm_rest and rlm_cache have attribute models that are elegant and well thought out then let's move everything to that model. On the other hand if ulang is conceptually cleaner then lets move rlm_rest and rlm_cache to a ulang solution. Pick one idea and make everything follow those rules. Consistency is a virtue and should be a goal of 3.0 IMHO, it will make using FreeRADIUS easier. A major version upgrade is one of the very few opportunities available to clean up. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attribute mapping
On 30 Oct 2012, at 13:00, John Dennis jden...@redhat.com wrote: On 10/30/2012 06:38 AM, Arran Cudbard-Bell wrote: Quick poll. For 3.0 the ldap module will be moving away from using the ldap.attrmap file and instead use a config based mapping. There are a few ways we are considering for organising the mapping. We can use something like the existing unlang: Or something like rlm_rest and rlm_cache: It really depends on whether people are actually using the full ldap.attrmap, or whether they're just pulling out one or two attributes. Each approach is as efficient as the other performance wise, so it comes down to which one people prefer. Any thoughts? What I'd like to see is the individual modules converging on common behavior so there is a consistent model. This is what's happening. We now have a common API for connections which means that managing connection pools is done in a consistant and easy to understand way. TLS configuration is also being standardised as much as possible, though there will probably be some minor differences where libraries only expose a subset of OpenSSL configuration parameters. I suspect a number of the modules were written independently and contributed, their diverse heritage makes for some awkwardness when viewing the totality of FreeRADIUS. Yes. If rlm_rest and rlm_cache have attribute models that are elegant and well thought out then let's move everything to that model. On the other hand if ulang is conceptually cleaner then lets move rlm_rest and rlm_cache to a ulang solution. Pick one idea and make everything follow those rules. With 2.0 there was an effort to maintain configuration compatibility, which limited standardisation efforts. Maintaining config compatiblity with 3.0 we don't have that constraint. That said, discuss whether using exactly the same syntax is useful. People may get more confused and try to use other unlang statements within module configs. Consistency is a virtue and should be a goal of 3.0 IMHO, it will make using FreeRADIUS easier. A major version upgrade is one of the very few opportunities available to clean up. Yes. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attribute mapping
If rlm_rest and rlm_cache have attribute models that are elegant and well thought out then let's move everything to that model. On the other hand if ulang is conceptually cleaner then lets move rlm_rest and rlm_cache to a ulang solution. Pick one idea and make everything follow those rules. With 2.0 there was an effort to maintain configuration compatibility, which limited standardisation efforts. Maintaining config compatiblity with 3.0 we don't have that constraint. * Were not maintaining config compatibility with 3.0 so we don't have that constraint. Just talking with Alan, apparently whole subsections can be referenced. This is especially useful for things like TLS, where you're using the same certs in multiple places, and you can define a global TLS section and then reference it from the various module configuration. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attribute mapping
+1
Personally I'd rather the latter format everywhere, even unlang:
update {
request:foo = 1
}
John Dennis jden...@redhat.com wrote:
What I'd like to see is the individual modules converging on common
behavior so there is a consistent model.
I suspect a number of the modules were written independently and
contributed, their diverse heritage makes for some awkwardness when
viewing the totality of FreeRADIUS.
If rlm_rest and rlm_cache have attribute models that are elegant and
well thought out then let's move everything to that model. On the other
hand if ulang is conceptually cleaner then lets move rlm_rest and
rlm_cache to a ulang solution. Pick one idea and make everything follow
those rules. Consistency is a virtue and should be a goal of 3.0 IMHO,
it will make using FreeRADIUS easier. A major version upgrade is one of
the very few opportunities available to clean up.
--
Sent from my mobile device, please excuse brevity and typos.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attribute mapping
On Tue, Oct 30, 2012 at 07:02:02PM +, Phil Mayers wrote:
+1
Personally I'd rather the latter format everywhere, even unlang:
update {
request:foo = 1
}
Agreed - having that option would make things much tidier when
several things in different lists are being updated at once.
update {
config:Auth-Type = Reject
reply:Reply-Message = Go away
}
On the other hand, the current form is nicer when updating a few
attributes all in one list, so maybe both...? :)
or...
update [default list] {
...
}
update reply {
config:Auth-Type = Reject
Reply-Message = Go away
}
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization based on ldap attribute
Thank you very much Phil!
exactly what I needed, very well explained.
I just did it the other way round if (reply:Eduroam-Enabled == N)
{ reject }
and it's working fine.
Have a nice day,
Stefano
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization based on ldap attribute
On 20/09/12 13:35, Gregg Douglas wrote:
With this reject command in the authorize section is there a method to
supply a custom reply message?
Sure.
if (...) {
update reply {
Reply-Message = whatever you want
}
reject
}
This is pretty basic use. I think people should be able to find this in
the docs - do you have any suggestions where we should put (more) pointers?
An observation I made with the if statement as above, if the attribute
is not present on the user object it will evaluate false, thus allowing
the user access.
Again, sure. You can invert the sense of the check in whatever fashion
suits you, as the OP did. You can also skip absence of the attribute e.g.
if (reply:Eduroam-Enabled !* ANY) {
# attr absent, permit
noop
}
elsif (reply:Eduroam-Enabled == N) {
# definitely not permitted
reject
}
...and so on.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization based on ldap attribute
Thanks again, you pointed out a very important issue. I'll definitively apply one of the two suggested methods to check if the attribute is present before allowing a user access. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorization based on ldap attribute
Hallo,
I've configured freeradius to authenticate users with PEAP, using
openldap to store NTLM hashes. It works fine.
Now I'd like to authorize only people who have the ldap attribute
haDirittoEduroam set to Y
(or the other way round: not to authorize users with
haDirittoEduroam set to N).
Below an example openldap entry.
Is there an easy way to achive this?
dn: uid=uto.u...@myorg.it,dc=myorg,dc=it
objectClass: sambaSamAccount
objectClass: inetOrgPerson
objectClass: person
objectClass: dirittoEduroam
cn: Uto
sn: Ughi
uid: uto.u...@myorg.it
haDirittoEduroam: N
sambaSID: 121212
userPassword: {SSHA}EnK9jqiVGSPNi6EQwpqdpjThBJHtZ1fi
sambaNTPassword: 2B466E3D3FB6AA4BF8AAAFEF8F59F6F3
sambaLMPassword: E52CAC67419A9A224300941ECC02054C
thanks a lot for your help,
Stefano
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization based on ldap attribute
On 19/09/12 17:03, Stefano Zanmarchi wrote:
Hallo,
I've configured freeradius to authenticate users with PEAP, using
openldap to store NTLM hashes. It works fine.
Now I'd like to authorize only people who have the ldap attribute
haDirittoEduroam set to Y
(or the other way round: not to authorize users with
haDirittoEduroam set to N).
Below an example openldap entry.
Is there an easy way to achive this?
1. Edit raddb/dictionary to define a local attribute to store the data
ATTRIBUTE Eduroam-Enabled 3010string
2. Modify ldap.attrmap to copy your LDAP attribute into this local
RADIUS attribute:
replyItem Eduroam-Enabled haDirittoEduroam
3. Check the attribute like so in sites-enabled/inner-tunnel:
authorize {
...
ldap
if (reply:Eduroam-Enabled != Y) {
reject
}
...
}
There are probably other ways to do it, including using an xlat to
lookup the attribute i.e. variation of step 2, or modifying the ldap
queries to only see those users.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap attribute
Hello, i want to get different attribute from ldap. Something like cn. Is this possible and where must be set it? Mit freundlichen Grüßen David Sandmann *** Fachinformatiker für Systemintegration Ernst-Moritz-Arndt-Universität Rechenzentrum Felix-Hausdorff-Straße 12 17489 Greifswald www.rz.uni-greifswald.de +49 3834 86 1424 +49 3834 86791424 sandm...@uni-greifswald.de *** - Description: Binary data smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject users based on LDAP attribute
On 05/17/2012 06:54 AM, C.F. Yeung wrote:
We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?
/etc/raddb/dictionary
ATTRIBUTE My-Local-wlanStatus 3000 string
/etc/raddb/ldap.attrmap
replyItem My-Local-wlanStatus WLANStatus
It's a REPLY item, so this should be:
if (reply:My-Local-wlanStatus == A1) {
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject users based on LDAP attribute
Thanks, it's working.
On Thu, May 17, 2012 at 3:22 PM, Phil Mayers p.may...@imperial.ac.ukwrote:
On 05/17/2012 06:54 AM, C.F. Yeung wrote:
We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?
/etc/raddb/dictionary
ATTRIBUTE My-Local-wlanStatus 3000 string
/etc/raddb/ldap.attrmap
replyItem My-Local-wlanStatus WLANStatus
It's a REPLY item, so this should be:
if (reply:My-Local-wlanStatus == A1) {
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject users based on LDAP attribute
i have a similar situation
$ sudo grep Profile dictionary
ATTRIBUTE Profile 3000 string
$ sudo grep Profile ldap.attrmap
replyItem Profile VPN
$ more default
.
post-auth {
if (Profile == g1) {
update reply {
class = ou=g1;
}
}
But in the log
# Executing section post-auth from file
/opt/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++? if (Profile == g1)
(Attribute Profile was not found)
? Evaluating (Profile == g1) - FALSE
++? if (Profile == g1) - FALSE
I also tried
If (reply:Profile == g1)
Any idea?
Thanks
Frank
On May 17, 2012, at 3:58 AM, C.F. Yeung wrote:
Thanks, it's working.
On Thu, May 17, 2012 at 3:22 PM, Phil Mayers
p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk wrote:
On 05/17/2012 06:54 AM, C.F. Yeung wrote:
We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?
/etc/raddb/dictionary
ATTRIBUTE My-Local-wlanStatus 3000 string
/etc/raddb/ldap.attrmap
replyItem My-Local-wlanStatus WLANStatus
It's a REPLY item, so this should be:
if (reply:My-Local-wlanStatus == A1) {
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject users based on LDAP attribute
On 17/05/12 14:56, Luo, Frank Y.F. Mr. wrote:
post-auth {
if (Profile == g1) {
This is wrong.
I also tried
If (reply:Profile == g1)
This should work.
Any idea?
Post a full debug with radiusd -X. Maybe in a new thread.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject users based on LDAP attribute
thanks for reply. Here is the output of radiusd -X. It seems that ldap module
did not query for the VPN attribute after the successful authentication
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /opt/freeradius/etc/raddb/radiusd.conf
including configuration file /opt/freeradius/etc/raddb/proxy.conf
including configuration file /opt/freeradius/etc/raddb/clients.conf
including files in directory /opt/freeradius/etc/raddb/modules/
including configuration file /opt/freeradius/etc/raddb/modules/ippool
including configuration file /opt/freeradius/etc/raddb/modules/policy
including configuration file /opt/freeradius/etc/raddb/modules/counter
including configuration file /opt/freeradius/etc/raddb/modules/passwd
including configuration file /opt/freeradius/etc/raddb/modules/inner-eap
including configuration file /opt/freeradius/etc/raddb/modules/attr_rewrite
including configuration file /opt/freeradius/etc/raddb/modules/dynamic_clients
including configuration file /opt/freeradius/etc/raddb/modules/expiration
including configuration file /opt/freeradius/etc/raddb/modules/mac2ip
including configuration file /opt/freeradius/etc/raddb/modules/digest
including configuration file /opt/freeradius/etc/raddb/modules/pam
including configuration file /opt/freeradius/etc/raddb/modules/expr
including configuration file /opt/freeradius/etc/raddb/modules/realm
including configuration file /opt/freeradius/etc/raddb/modules/attr_filter
including configuration file /opt/freeradius/etc/raddb/modules/acct_unique
including configuration file /opt/freeradius/etc/raddb/modules/detail.log
including configuration file /opt/freeradius/etc/raddb/modules/radutmp
including configuration file /opt/freeradius/etc/raddb/modules/smsotp
including configuration file /opt/freeradius/etc/raddb/modules/sql_log
including configuration file /opt/freeradius/etc/raddb/modules/sradutmp
including configuration file /opt/freeradius/etc/raddb/modules/otp
including configuration file /opt/freeradius/etc/raddb/modules/echo
including configuration file /opt/freeradius/etc/raddb/modules/detail
including configuration file /opt/freeradius/etc/raddb/modules/unix
including configuration file /opt/freeradius/etc/raddb/modules/ntlm_auth
including configuration file
/opt/freeradius/etc/raddb/modules/detail.example.com
including configuration file /opt/freeradius/etc/raddb/modules/preprocess
including configuration file /opt/freeradius/etc/raddb/modules/perl
including configuration file /opt/freeradius/etc/raddb/modules/opendirectory
including configuration file /opt/freeradius/etc/raddb/modules/chap
including configuration file /opt/freeradius/etc/raddb/modules/pap
including configuration file /opt/freeradius/etc/raddb/modules/smbpasswd
including configuration file /opt/freeradius/etc/raddb/modules/logintime
including configuration file /opt/freeradius/etc/raddb/modules/ldap
including configuration file /opt/freeradius/etc/raddb/modules/exec
including configuration file /opt/freeradius/etc/raddb/modules/etc_group
including configuration file /opt/freeradius/etc/raddb/modules/mschap
including configuration file
/opt/freeradius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /opt/freeradius/etc/raddb/modules/linelog
including configuration file /opt/freeradius/etc/raddb/modules/files
including configuration file /opt/freeradius/etc/raddb/modules/always
including configuration file /opt/freeradius/etc/raddb/modules/krb5
including configuration file /opt/freeradius/etc/raddb/modules/checkval
including configuration file /opt/freeradius/etc/raddb/modules/mac2vlan
including configuration file /opt/freeradius/etc/raddb/modules/wimax
including configuration file /opt/freeradius/etc/raddb/modules/cui
including configuration file /opt/freeradius/etc/raddb/eap.conf
including configuration file /opt/freeradius/etc/raddb/policy.conf
including files in directory /opt/freeradius/etc/raddb/sites-enabled/
including configuration file /opt/freeradius/etc/raddb/sites-enabled/default
including configuration file
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnel
including configuration file /opt/freeradius/etc/raddb/sites-enabled/status
including configuration file
/opt/freeradius/etc/raddb/sites-enabled/control-socket
main {
user = radius
group = radius
allow_core_dumps = no
}
including dictionary file /opt/freeradius/etc/raddb/dictionary
main {
prefix = /opt/freeradius
localstatedir = /opt/freeradius/var
logdir = /var/log
libdir = /opt/freeradius/lib
radacctdir = /var/log/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile =
Re: Reject users based on LDAP attribute
On 17/05/12 16:07, Luo, Frank Y.F. Mr. wrote: thanks for reply. Here is the output of radiusd -X. It seems that ldap module did not query for the VPN attribute after the successful authentication Correct. Check the data is present in your LDAP directory, and that it is visible to the bind DN you are using in FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject users based on LDAP attribute
We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?
/etc/raddb/dictionary
ATTRIBUTE My-Local-wlanStatus 3000string
/etc/raddb/ldap.attrmap
replyItem My-Local-wlanStatus WLANStatus
/etc/raddb/sites-available/default
authorize {
...
ldap
if (My-Local-wlanStatus == A1) {
reject
}
...
}
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=student,o=example.com, with filter
(uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
rlm_ldap: WLANStatus - My-Local-wlanStatus = A1
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (My-Local-wlanStatus == A1)
(Attribute My-Local-wlanStatus was not found)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap attribute in pre-proxy possible?
On 11/05/12 20:25, Mike wrote: Phil, I meant to say proxy-request, not proxy-reply. Ah, ok. Secondly, why would you need a log file to show an attribute expanding to nothing? I just told you it is expanding to nothing aka it has no assigned value once reaching the pre-proxy stage. Because I think you're probably doing something wrong, and the debug will show me (and others) straight away what it is. The alternative is for me to make wild guesses, or spend a lot of time thinking about it. Guess which one I prefer? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap attribute in pre-proxy possible?
Hello,
Is it possible store and access an ldap attribute in pre-proxy?
1. Attribute defined in dictionary
2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy {
If (%{reply:attributename} == cookies {
update proxy-reply {
Whatever = cookies
}}
}
the problem is the attribute is expanding to nothing. This does work in the
auth section but i need to update the proxy msg. What am i doing wrong?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap attribute in pre-proxy possible?
On 11/05/12 16:39, Mike wrote:
Hello,
Is it possible store and access an ldap attribute in pre-proxy? 1.
Attribute defined in dictionary 2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy { If (%{reply:attributename} == cookies { update
proxy-reply { Whatever = cookies }} }
You can't update the proxy-reply in pre-proxy; there is no proxy-reply
at this stage.
the problem is the attribute is expanding to nothing. This does work
in the auth section but i need to update the proxy msg. What am i
doing wrong?
We don't know, because we're not psychic and you didn't include a debug
of it failing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:re: Re: Ldap attribute in pre-proxy possible?
Phil,
I meant to say proxy-request, not proxy-reply.
Secondly, why would you need a log file to show an attribute expanding to
nothing? I just told you it is expanding to nothing aka it has no assigned
value once reaching the pre-proxy stage.
Message: 3
Date: Fri, 11 May 2012 18:07:40 +0100
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: Ldap attribute in pre-proxy possible?
Message-ID: 4fad475c.7090...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 11/05/12 16:39, Mike wrote:
Hello,
Is it possible store and access an ldap attribute in pre-proxy? 1.
Attribute defined in dictionary 2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy { If (%{reply:attributename} == cookies { update
proxy-reply { Whatever = cookies }} }
You can't update the proxy-reply in pre-proxy; there is no proxy-reply
at this stage.
the problem is the attribute is expanding to nothing. This does work
in the auth section but i need to update the proxy msg. What am i
doing wrong?
We don't know, because we're not psychic and you didn't include a debug
of it failing.
--
Message: 4
Date: Fri, 11 May 2012 13:42:29 -0400
From: Luo, Frank Y.F. Mr. l...@muohio.edu
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: max_request
Message-ID: 200cb918-2061-4829-a888-8901a235e...@muohio.edu
Content-Type: text/plain; charset=us-ascii
So there is this setting max_request that the server keeps track of. The
question is how i can find the current active request that the server keeps
track of.
My experience is the sever silently drops the connection if max_request is
reached. So I want to find out more info about the current status of the
server.
Thanks
Frank
--
Message: 5
Date: Fri, 11 May 2012 20:25:06 +0200
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: max_request
Message-ID: 4fad5982.1080...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Luo, Frank Y.F. Mr. wrote:
So there is this setting max_request that the server keeps track of. The
question is how i can find the current active request that the server keeps
track of.
My experience is the sever silently drops the connection if max_request is
reached. So I want to find out more info about the current status of the
server.
In 2.1.12, there's no way to see that number in a live server.
Alan DeKok.
--
Message: 6
Date: Fri, 11 May 2012 14:31:09 -0400
From: Luo, Frank Y.F. Mr. l...@muohio.edu
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: max_request
Message-ID: 0c11c863-c520-491d-ad91-320b65e54...@muohio.edu
Content-Type: text/plain; charset=us-ascii
are you sure?
Then how do i know I run out of request number and need to increase it?
Thanks
Frank
On May 11, 2012, at 2:25 PM, Alan DeKok wrote:
Luo, Frank Y.F. Mr. wrote:
So there is this setting max_request that the server keeps track of. The
question is how i can find the current active request that the server keeps
track of.
My experience is the sever silently drops the connection if max_request is
reached. So I want to find out more info about the current status of the
server.
In 2.1.12, there's no way to see that number in a live server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Message: 7
Date: Fri, 11 May 2012 20:39:03 +0200
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: max_request
Message-ID: 4fad5cc7.1090...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Luo, Frank Y.F. Mr. wrote:
are you sure?
Then how do i know I run out of request number and need to increase it?
You read the logs.
You CANNOT increase it while the server is running.
The best approach is to set it to a large value, and ignore it. If
you get errors in the logs about max_requests, it means that something
is catastrophically wrong. Increasing max_requests WILL NOT HELP.
You will need to fix the underlying problem: usually a slow / broken
database.
Alan DeKok.
--
Message: 8
Date: Fri, 11 May 2012 14:45:29 -0400
From: Luo, Frank Y.F. Mr. l...@muohio.edu
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: max_request
Message-ID: a6e5f923-8012-468f-8e93-5ca954b97...@muohio.edu
Content-Type: text/plain; charset=us-ascii
I will read the logs - but what I look for in the log?
I already set it to a large value and don't expect problem
Re: re: Re: Ldap attribute in pre-proxy possible?
Hi, Secondly, why would you need a log file to show an attribute expanding to nothing? I just told you it is expanding to nothing aka it has no assigned value once reaching the pre-proxy stage. as per the mailing list information, no radiusd -X, no help alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued LDAP attribute
In a continuation to my previous issue about how to reference an LDAP
attribute in post-auth, I am now wondering how to iterate through a
multi-valued attribute in a perl script I call from post-auth. In the
debug you can see all three values are returned:
Multi-value attributes are an array in Perl.
I'm no perl expert, but shouldn't I be able to reference all three
values with $RAD_REPLY{'Person-Type'}?
No. That entry is an array. You need @{$RAD_REPLY{'Person-Type'}},
and then de-reference each entry from there.
I'm still having no luck trying to get all of the values off this multi-valued
attribute.. I believe I've got the perl syntax correct but when I try to
dereference @{$RAD_REPLY{'Person-Type'}} to check through all values, I get:
rlm_perl: perl_embed:: module = /etc/freeradius/groupcheck.pl , func =
post_auth exit status= Can't use string (employee) as an ARRAY ref while
strict refs in use at /etc/freeradius/groupcheck.pl line 112.
It appears as though $RAD_REPLY{'Person-Type'} is a string not an array.. if I
ask for value, I get employee..
But again, all three values are returned:
...
[ldap] looking for reply items in directory...
[ldap] personType - Person-Type = employee
[ldap] personType - Person-Type = fulltime
[ldap] personType - Person-Type = it
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user atrack authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
...
I did notice the following in the post-auth debug:
...
rlm_perl: Added pair User-Name = atrack
rlm_perl: Added pair MS-MPPE-Recv-Key = 0xc8bf3146d6b3966f0838e304da9bf9d2
rlm_perl: Added pair Person-Type = employee
rlm_perl: Added pair EAP-Message = 0x03090004
rlm_perl: Added pair MS-MPPE-Send-Key = 0x46948d82b0b42f60dd31e93a0d643790
...
So, for Person-Type, only the one value, employee, is passed to the perl
module? Shouldn't there be another two lines of this for the other two values?
I (finally) upgraded to 2.1.12, with same results. How can I get the other
values?
Or, is there a better way to do this?
Thanks,
A.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued LDAP attribute
Adam Track wrote:
I'm still having no luck trying to get all of the values off this
multi-valued attribute.. I believe I've got the perl syntax correct but
when I try to dereference @{$RAD_REPLY{'Person-Type'}} to check through
all values, I get:
rlm_perl: perl_embed:: module = /etc/freeradius/groupcheck.pl , func =
post_auth exit status= Can't use string (employee) as an ARRAY ref
while strict refs in use at /etc/freeradius/groupcheck.pl line 112.
This is really a Perl question.
But again, all three values are returned:
...
[ldap] looking for reply items in directory...
[ldap] personType - Person-Type = employee
[ldap] personType - Person-Type = fulltime
Read raddb/ldap.attrmap. This is documented.
I did notice the following in the post-auth debug:
...
So, for Person-Type, only the one value, employee, is passed to the perl
module? Shouldn't there be another two lines of this for the other two
values?
No. The default operator for the LDAP attribute mapping is '='. If
you want '+=', edit ldap.attrmap.
This has been in ldap.attrmap, *and* documented there since 2004. If
you're editing the file to add personType, the PLEASE READ THE FILE.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued LDAP attribute
No. The default operator for the LDAP attribute mapping is '='. If you want '+=', edit ldap.attrmap. This has been in ldap.attrmap, *and* documented there since 2004. If you're editing the file to add personType, the PLEASE READ THE FILE. Thank you very much for that. Again, I wouldn't have figured that out on my own. I only email the list as a last resort. I'd also like to add, although I'm probably going to have my head chopped off, that I did read the file.. many times in the past, several times today in fact, but unfortunately my brain did not interpret the operator description to mean that one need add += for multi-valued attributes (much like all my questions before did not seem obvious to me, though I suppose they are to others); my brain was sidetracked thinking I needed another attribute type in the dictionary file. Anyway, I hope at least this email will prevent others from asking the same silly question. A. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued LDAP attribute
Adam Track wrote: I'd also like to add, although I'm probably going to have my head chopped off, that I did read the file.. many times in the past, several times today in fact, but unfortunately my brain did not interpret the operator description to mean that one need add += for multi-valued attributes (much like all my questions before did not seem obvious to me, though I suppose they are to others); my brain was sidetracked thinking I needed another attribute type in the dictionary file. That's why the comments said to read the documentation for the users file. It has *complete* documentation on all of the operators. It's just too hard to copy all of the operator documentation into every file / module which uses it. They're the same everywhere, so the documentation often says go read the FULL documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap attribute
Hello, i want to get different attribute from ldap. Something like cn. Is this possible and where must be set it? Mit freundlichen Grüßen David Sandmann *** Fachinformatiker für Systemintegration Ernst-Moritz-Arndt-Universität Rechenzentrum Felix-Hausdorff-Straße 12 17489 Greifswald www.rz.uni-greifswald.de +49 3834 86 1424 +49 3834 86791424 sandm...@uni-greifswald.de *** smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued LDAP attribute
Adam Track wrote:
In a continuation to my previous issue about how to reference an LDAP
attribute in post-auth, I am now wondering how to iterate through a
multi-valued attribute in a perl script I call from post-auth. In the
debug you can see all three values are returned:
Multi-value attributes are an array in Perl.
I'm no perl expert, but shouldn't I be able to reference all three
values with $RAD_REPLY{'Person-Type'}?
No. That entry is an array. You need @{$RAD_REPLY{'Person-Type'}},
and then de-reference each entry from there.
See the Perl documentation for more information.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued LDAP attribute
Ah.. thanks! Wouldn#39;t have figured that out on my own... A.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multi-valued LDAP attribute
Hi All,
In a continuation to my previous issue about how to reference an LDAP attribute
in post-auth, I am now wondering how to iterate through a multi-valued
attribute in a perl script I call from post-auth. In the debug you can see all
three values are returned:
...
[ldap] looking for reply items in directory...
[ldap] personType - Person-Type = employee
[ldap] personType - Person-Type = fulltime
[ldap] personType - Person-Type = it
...
The perl module currently has the following code because I can't seem to be
able to get any result other than the first, ie employee, and I really need
the other two (possibly more) to do a proper VLAN assignment:
while (($att,$val) = each(%RAD_REPLY)){
if ($att =~ 'Person-Type'){
$count++;
if ($count == 1){
$one = $val;
} else {
$two = $val;
}
}
}
$RAD_REPLY{'Reply-Message'} = Total: $count, first: $one, second:
$two.;
The results are:
...
Reply-Message = Total: 1, first: employee, second: .
...
I'm no perl expert, but shouldn't I be able to reference all three values with
$RAD_REPLY{'Person-Type'}? If not, where are the other values being stored? I
read from the archives that this can be done with 3.X and foreach using unlang,
but I'm stuck with 2.1.10 at the moment. Or, do multi-valued attributes need
to be defined another way?
Thanks,
A.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Set reply attributes based on LDAP attribute
Thank you both for the quick replies. I ended up using a switch statement to determine which Tunnel-Private-Group-ID the person requires. Now to try and test this to ensure its working for all users. Thanks again -- View this message in context: http://freeradius.1045715.n5.nabble.com/Set-reply-attributes-based-on-LDAP-attribute-tp5047676p5054214.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Set reply attributes based on LDAP attribute
Hi,
I am trying to configure freeradius 2.1.12 to set the
'Tunnel-Private-Group-Id' attribute based on a value retrieved from LDAP.
use unlang - either completely to do the work...or to populate
the packet so that other modules can use it e.g.
if (Person-OrgUnit) {
update request {
Person-OrgUnit := %{Person-OrgUnit}
}
}
or somesuch...in the authorize section straight after your LDAP
call. this would assume you've added such a local name to the dictionary...
there are a few local/non reserved variables you can use..
- I'd personally use unlang or PERL to just do the work directly
as then you dont need to play with dictionaries etc eg
if (%{Person-OrgUnit} == 1122) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = 802
Tunnel-Private-Group-ID =
}
}
do this in eg the post-auth section of the server
dont take my unlang as verbatim...its quickly typed out as a rough
pointer...your mileage and requirements may vary ;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set reply attributes based on LDAP attribute
Hi, I am trying to configure freeradius 2.1.12 to set the 'Tunnel-Private-Group-Id' attribute based on a value retrieved from LDAP. I have pulled the variable form LDAP and am storing it as a local Radius variable called 'Person-OrgUnit'. In the users file I am trying to check it's value and set other attributes based on its value. example: DEFAULT Person-OrgUnit == 1122 Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = From what I can see in the freeradius debug mode, is its being skipped completely. My old configuration which used the Ldap-Group attribute works correctly, but I need to change over to this other attribute due to an internal issue. An example of the old configuration is below: DEFAULT ldap_central-Ldap-Group == Hosted Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 1107 I have looked at using rlm_checkval but I am seeing 'rlm_checkval: Could not find item named Person-OrgUnit in request' in the logs. I do not think this module is designed to do what I want. -- What is the best way for me to check this radius CheckItem variable and based on its value, set additional attributes? Thank you, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Set-reply-attributes-based-on-LDAP-attribute-tp5047676p5047676.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Set reply attributes based on LDAP attribute
aidanr wrote: I am trying to configure freeradius 2.1.12 to set the 'Tunnel-Private-Group-Id' attribute based on a value retrieved from LDAP. That should be easy. I have pulled the variable form LDAP and am storing it as a local Radius variable called 'Person-OrgUnit'. In the users file I am trying to check it's value and set other attributes based on its value. That's not really easy. The users file does comparisons on request attributes or configuration attributes. You probably want to use unlang. It's much simpler, and you can directly address the attributes you need. I have looked at using rlm_checkval but I am seeing 'rlm_checkval: Could not find item named Person-OrgUnit in request' in the logs. I do not think this module is designed to do what I want. Exactly. It's also why the users file doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expand Ldap Attribute on Post-Auth section
So, according to this:
http://wiki.freeradius.org/Attribute%20support%20by%20processing%20list
I can only access the User-Name and Auth-Type at my custom exec module,
and nothing else?
I just want to access an LDAP value at my exec module without having to
issue an external ldapsearch and avoid mantaining doubled ldap
configurations and queries for this.
Em 06-06-2011 15:13, Renan escreveu:
Hello there,
I'm trying to evaluate an ldap returned attribute on the post-auth
section.
At my dictionary:
ATTRIBUTE Aa 3000string
At my ldap.attrmap:
checkItem AA eduPersonAffiliation
And at my custom module:
exec aloca_vlans {
wait = yes
program = /usr/local/bin/script-teste.sh %{User-Name}
%{control:Aa} %{reply:Aa} %{Aa}
input_pairs = request
output_pairs = reply
packet_type = Access-Accept
shell_escape = yes
}
When running radiusd -X, I see the data getting fetched.
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] eduPersonAffiliation - Aa == 5
[ldap] eduPersonAffiliation - Aa == 2
[ldap] userPassword - Password-With-Header == x
[ldap] ntPassword - NT-Password == xx
[ldap] looking for reply items in directory...
But when the variables are expanded it returns nothing:
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[reply_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
- /var/log/freeradius/radacct/xx/reply-detail-20110606
[reply_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/xx/reply-detail-20110606
[reply_log] expand: %t - Mon Jun 6 15:04:10 2011
++[reply_log] returns ok
[aloca_vlans] expand: %{User-Name} - renan.manola
[aloca_vlans] expand: %{control:Aa} -
[aloca_vlans] expand: %{reply:Aa} -
[aloca_vlans] expand: %{Aa} -
I have specified the control and reply lists just as a test. If I
don't specify the variable name at the dictionary file, the log
complains of unknown module not found.
Best regards.
--
Renan Manola
Analista de Tecnologia da Informação
Nucleo de Processamento de Dados (NPD)
Universidade Federal do Espírito Santo (UFES)
Ministério da Educação - Serviço Público Federal
E-mail: rman...@npd.ufes.br
Antes de imprimir pense em seu compromisso com o Meio Ambiente.
As informações existentes nesta mensagem e em seus arquivos anexados são para
uso restrito, sendo seu sigilo protegido por lei. Caso você não seja o
destinatário, saiba que leitura, divulgação ou cópia são proibidas. Neste caso,
favor notificar o remetente e apagar as informações. O uso impróprio destas
informações será tratado conforme as normas da empresa e a legislação em vigor.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expand Ldap Attribute on Post-Auth section
Renan wrote: So, according to this: http://wiki.freeradius.org/Attribute%20support%20by%20processing%20list I can only access the User-Name and Auth-Type at my custom exec module, and nothing else? Uh, no. The wiki page needs to be reformatted. Each module has access to *all* of the attributes in *all* of the lists. Which attributes actually exist depend on the packet, and on the local configuration. I just want to access an LDAP value at my exec module without having to issue an external ldapsearch and avoid mantaining doubled ldap configurations and queries for this. You can't use RADIUS to query LDAP from an exec module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expand Ldap Attribute on Post-Auth section
Hi Alan, On 06/07/2011 01:30 PM, Alan DeKok wrote: Renan wrote: So, according to this: http://wiki.freeradius.org/Attribute%20support%20by%20processing%20list I can only access the User-Name and Auth-Type at my custom exec module, and nothing else? Uh, no. The wiki page needs to be reformatted. We talked about this, there isn't any more content there. Someone needs to rewrite this page. -John -- John Center Villanova University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expand Ldap Attribute on Post-Auth section
John Center wrote: We talked about this, there isn't any more content there. Someone needs to rewrite this page. mediawiki.freeradius.org should now work. The contents can be copied from there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expand Ldap Attribute on Post-Auth section
On 06/07/2011 02:22 PM, Alan DeKok wrote: John Center wrote: We talked about this, there isn't any more content there. Someone needs to rewrite this page. mediawiki.freeradius.org should now work. The contents can be copied from there. Still no more content, see http://mediawiki.freeradius.org/Attribute_support_by_processing_list. Either whoever wrote this page stopped without finishing it, or the bulk of the previous content was lost. :-( -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expand Ldap Attribute on Post-Auth section
Em 07-06-2011 14:30, Alan DeKok escreveu: You can't use RADIUS to query LDAP from an exec module. It's not a query per say, I would be acessing a variable that was already **set** by the LDAP module (That's why I specified it at ldap.attrmap). Each module has access to*all* of the attributes in*all* of the lists. Which attributes actually exist depend on the packet, and on the local configuration. So all of the attributes are available except the ones that Ldap module fetched (for example: NT-Password, Password-With-Header, my custom defined: Aa, etc...). As a test, at my exec module I did: env /tmp/temp_file.txt to see wich variables are exported, here is the result: CALLED_STATION_ID=... CALLING_STATION_ID=... SERVICE_TYPE=Login-User EAP_TYPE=PEAP NAS_PORT=1371 NAS_IDENTIFIER=... NAS_PORT_TYPE=Wireless-802.11 MESSAGE_AUTHENTICATOR=0xb... USER_NAME=renan.manola STATE=0x01 EAP_MESSAGE=0x0... FRAMED_MTU=1400 PWD=/etc/freeradius NAS_IP_ADDRESS= SHLVL=1 NAS_PORT_ID=1371 Is that the normal behavior or was it supposed to return more variables? My module is called at the post-auth section. Regards. -- Renan Manola Analista de Tecnologia da Informação Nucleo de Processamento de Dados (NPD) Universidade Federal do Espírito Santo (UFES) Ministério da Educação - Serviço Público Federal E-mail: rman...@npd.ufes.br Antes de imprimir pense em seu compromisso com o Meio Ambiente. As informações existentes nesta mensagem e em seus arquivos anexados são para uso restrito, sendo seu sigilo protegido por lei. Caso você não seja o destinatário, saiba que leitura, divulgação ou cópia são proibidas. Neste caso, favor notificar o remetente e apagar as informações. O uso impróprio destas informações será tratado conforme as normas da empresa e a legislação em vigor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expand Ldap Attribute on Post-Auth section
Renan wrote: So all of the attributes are available except the ones that Ldap module fetched (for example: NT-Password, Password-With-Header, my custom defined: Aa, etc...). As a test, at my exec module I did: env /tmp/temp_file.txt to see wich variables are exported, here is the result: Come on... *read* the documentation. An exec'd program gets passed a limited subset of attributes. A *module* gets passed all of the attributes. See rlm_example for a sample C module. If you want access to multiple attribute lists, use (a) rlm_perl, or (b) a C module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expand Ldap Attribute on Post-Auth section
On Jun 7, 2011, at 1:07 PM, John Center wrote: On 06/07/2011 02:22 PM, Alan DeKok wrote: John Center wrote: We talked about this, there isn't any more content there. Someone needs to rewrite this page. mediawiki.freeradius.org should now work. The contents can be copied from there. Nice work. Now we can verify whether things were actually lost or just never existed int he first place. Still no more content, see http://mediawiki.freeradius.org/Attribute_support_by_processing_list. Either whoever wrote this page stopped without finishing it, or the bulk of the previous content was lost. :-( Stopped without finishing it looks like. Revision history goes back to 2006 and it never had any more content than it does now... -Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expand Ldap Attribute on Post-Auth section
Hello there,
I'm trying to evaluate an ldap returned attribute on the post-auth section.
At my dictionary:
ATTRIBUTE Aa 3000string
At my ldap.attrmap:
checkItem AA eduPersonAffiliation
And at my custom module:
exec aloca_vlans {
wait = yes
program = /usr/local/bin/script-teste.sh %{User-Name}
%{control:Aa} %{reply:Aa} %{Aa}
input_pairs = request
output_pairs = reply
packet_type = Access-Accept
shell_escape = yes
}
When running radiusd -X, I see the data getting fetched.
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] eduPersonAffiliation - Aa == 5
[ldap] eduPersonAffiliation - Aa == 2
[ldap] userPassword - Password-With-Header == x
[ldap] ntPassword - NT-Password == xx
[ldap] looking for reply items in directory...
But when the variables are expanded it returns nothing:
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[reply_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -
/var/log/freeradius/radacct/xx/reply-detail-20110606
[reply_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/xx/reply-detail-20110606
[reply_log] expand: %t - Mon Jun 6 15:04:10 2011
++[reply_log] returns ok
[aloca_vlans] expand: %{User-Name} - renan.manola
[aloca_vlans] expand: %{control:Aa} -
[aloca_vlans] expand: %{reply:Aa} -
[aloca_vlans] expand: %{Aa} -
I have specified the control and reply lists just as a test. If I don't
specify the variable name at the dictionary file, the log complains of
unknown module not found.
Best regards.
--
Renan Manola
Analista de Tecnologia da Informação
Nucleo de Processamento de Dados (NPD)
Universidade Federal do Espírito Santo (UFES)
Ministério da Educação - Serviço Público Federal
E-mail: rman...@npd.ufes.br
Antes de imprimir pense em seu compromisso com o Meio Ambiente.
As informações existentes nesta mensagem e em seus arquivos anexados são para
uso restrito, sendo seu sigilo protegido por lei. Caso você não seja o
destinatário, saiba que leitura, divulgação ou cópia são proibidas. Neste caso,
favor notificar o remetente e apagar as informações. O uso impróprio destas
informações será tratado conforme as normas da empresa e a legislação em vigor.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Thank you very much for your responses.
Conversely, you could comment out/remove the use Data::Dumper line
since you're not using it. It's mainly for debugging and easily
printing the entire contents of an object/array/hash/etc.
Ok, Kevin, I don't use Data::Dumper and I can run Freeradius with my perl
module.
My problem is with the hashes that rlm_perl provide to my script ¡rlm_perl
add in the reply hash an attribute Relaciones with the value of the
attribute Nombre-Completo, and also add Nombre-Completo!
Debug:
[ldap1] performing user authorization for ana
[ldap1] expand: %{Stripped-User-Name} - ana
[ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana)
...
[ldap1] looking for check items in directory...
[ldap1] ntPassword - NT-Password == 0x35...
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += 01
[ldap1] sn - Nombre-Completo = ana
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user ana authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
...
rlm_perl: Added pair User-Name = ana
rlm_perl: Added pair User-Password =
rlm_perl: Added pair Intentos-Reject = 1
rlm_perl: Added pair SQL-User-Name = ana
rlm_perl: Added pair Stripped-User-Name = ana
rlm_perl: Added pair Calling-Station-Id = xxx
rlm_perl: Added pair Nombre-Completo = ana
rlm_perl: Added pair Relaciones = 01
*rlm_perl: Added pair Relaciones = ana*
rlm_perl: Added pair NT-Password = 0x35...
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Ldap-UserDn = ...
Than you
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorize an user using a multivalue ldap attribute
Hello,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += -11
Relaciones += 03
Relaciones += -01
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize module to
check all the attributes Relaciones whit a regex, but I don't know how can
I check all the attributes, and how can I stop procesing the attributes if I
found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
}
Thanks very much, and sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello again,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += -11
Relaciones += 03
Relaciones += -01
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize module to
check all the attributes Relaciones whit a regex, but I don't know how can
I check all the attributes, and how can I stop procesing the attributes if I
found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
}
maybe I can check the value with a check item:
#cat /etc/freeradius/ldap.attrmap
checkItem NT-Password ntPassword
checkItem RelacionesRelaciones ~= /^([0-9]{2})/
replyItem Nombre-Completosn
replyItem Relaciones Relaciones +=
anyway i test both ideas, but don't work:
[ldap] looking for check items in directory...
[ldap] ntPassword - NT-Password == 0x3...
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += -11
[ldap1] Relaciones - Relaciones += 03
[ldap1] Relaciones - Relaciones += -01
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user XXX authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
? if (fail)
? Evaluating (fail) - FALSE
? if (fail) - FALSE
- entering else else {...}
+? if (%{reply:Relaciones} =~ /^([0-9]{2})/)
expand: %{reply:Relaciones} - -11
? Evaluating (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE
+? if (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE
- else else returns ok
any ideas?
thank you very much.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Ana Gallardo wrote:
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize
module to check all the attributes Relaciones whit a regex, but I
don't know how can I check all the attributes, and how can I stop
procesing the attributes if I found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
You can't really do that with unlang. I suggest using the perl module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello Alan, and thank you for your response.
You can't really do that with unlang. I suggest using the perl module.
I flow your suggestion and write this:
# cat /etc/freeradius/perl/checkRelaciones.pm
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
my $attr;
my $valor;
while (($attr,$valor)= each(%RAD_REPLY{'Relaciones'}){
if ($valor =~ /^([0-9]{2})/) {
return RLM_MODULE_OK;
}
}
return RLM_MODULE_REJECT;
}
and I use this in authorize section:
authorize{
...
files
...
perl
expiration
...
}
but, when I try to run freeradius in debug mode:
...
perl {
module = /etc/freeradius/perl/checkRelaciones.pm
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
func_recv_coa = recv_coa
func_send_coa = send_coa
}
Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64.
at /usr/lib/perl/5.10/Data/Dumper.pm line 36
So, I think thah I need to upgrade or something like this.
Thank you again.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 10/22/10 6:25 AM, Jonathan Gazeley wrote: On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) Conversely, you could comment out/remove the use Data::Dumper line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. -- Kevin Ehlers Network Engineer University of Oregon signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 7/7/09 17:01, Ivan Kalik wrote: Yes. if(((!reply:...) || (reply:... = )) Huntgroup-Name = whatever) This works for those users that have the attribute set as a fallback measure but how do I stop it from returning the attribute when it was retrieved from LDAP, again I only want this attribute to be returned when the are calling from a particular huntgroup. So the scenario is - if they are calling from huntgroup ciscoswitches then we return the attributes either the value from LDAP for the VLAN or the fallback value from the post auth, if they are not calling from the huntgroup then don't return these attributes. Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 7/7/09 17:01, Ivan Kalik wrote:
Yes.
if(((!reply:...) || (reply:... = )) Huntgroup-Name = whatever)
This works for those users that have the attribute set as a fallback
measure but how do I stop it from returning the attribute when it was
retrieved from LDAP, again I only want this attribute to be returned
when the are calling from a particular huntgroup.
So the scenario is - if they are calling from huntgroup ciscoswitches
then we return the attributes either the value from LDAP for the VLAN or
the fallback value from the post auth, if they are not calling from the
huntgroup then don't return these attributes.
If I understand you well:
if(Huntgroup-Name == ciscoswitches) {
if((!reply:...) || (reply:... = )) {
update reply {
Tunnel-Private-Group-ID = 666
}
}
}
else {
update reply {
Tunnel-Private-Group-ID -= %{reply:Tunnel-Private-Group-ID}
}
}
Extra bit will remove VLAN ID assigned from ldap for those not in
ciscoswitches huntgroup.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 08:18, Steven Carr wrote:
On 7/7/09 17:01, Ivan Kalik wrote:
Yes.
if(((!reply:...) || (reply:... = )) Huntgroup-Name = whatever)
This works for those users that have the attribute set as a fallback
measure but how do I stop it from returning the attribute when it was
retrieved from LDAP, again I only want this attribute to be returned
when the are calling from a particular huntgroup.
So the scenario is - if they are calling from huntgroup ciscoswitches
then we return the attributes either the value from LDAP for the VLAN or
the fallback value from the post auth, if they are not calling from the
huntgroup then don't return these attributes.
Is it not possible to use something like...
if ((!Huntgroup-Name) || (Huntgroup-Name != ciscoswitches)) {
update reply {
Tunnel-Private-Group-ID -=
Tunnel-Type -=
Tunnel-Medium-Type -=
}
}
I did try this and it came back with:
ERROR: No value given for attribute Tunnel-Private-Group-ID.
There must be an easy way to strip attributes from being returned?
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
Is it not possible to use something like...
if ((!Huntgroup-Name) || (Huntgroup-Name != ciscoswitches)) {
update reply {
Tunnel-Private-Group-ID -=
Tunnel-Type -=
Tunnel-Medium-Type -=
}
}
I did try this and it came back with:
ERROR: No value given for attribute Tunnel-Private-Group-ID.
Obviously not. There is no wildcard. If you want wildcard use attribute
filter instead of update reply.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 14:19, Ivan Kalik wrote: Obviously not. There is no wildcard. If you want wildcard use attribute filter instead of update reply. Tried that too, but the attribute filter only seems to allow you to filter on items that you want to be returned, rather than filter out those that you don't want to be returned :( Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 14:19, Ivan Kalik wrote: Obviously not. There is no wildcard. If you want wildcard use attribute filter instead of update reply. Tried that too, but the attribute filter only seems to allow you to filter on items that you want to be returned, rather than filter out those that you don't want to be returned :( Well, reply attributes don't appear from nowhere - *you* configure them! List what you want to leave in the packet (lets say Service-Type) - rest will be deleted. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 14:36, Ivan Kalik wrote: Well, reply attributes don't appear from nowhere - *you* configure them! List what you want to leave in the packet (lets say Service-Type) - rest will be deleted. That is the issue, I do not know what attributes we do want, only what we don't want. We only want to send back the VLAN switching dot1x attributes if the request comes from a particular huntgroup (containing devices that are allowed to do dot1x), the problem being one of these attributes is stored in LDAP (the actual VLAN number to put someone in). The idea is that the RADIUS server is also going to process other authentication requests aswell as dot1x requests, but to ensure that nothing gets triggered on other devices (Wireless etc.) these attributes can't be sent back devices that aren't allowed for dot1x. We can't be the only people wanting to do this? Or do you have any other suggestions as to how this can be achieved? Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
Steven Carr wrote:
That is the issue, I do not know what attributes we do want, only what
we don't want.
If you don't want the attributes, it would be simplest to not add them
in the first place.
We only want to send back the VLAN switching dot1x attributes if the
request comes from a particular huntgroup (containing devices that are
allowed to do dot1x), the problem being one of these attributes is
stored in LDAP (the actual VLAN number to put someone in).
You can map that VLAN number to a server-side attribute. Then, copy
it to the correct tunnel attribute when you want.
e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
if (... i want to send vlan) {
update reply {
Tunnel-Private-Group-Id = %{Tmp-String-0}
...
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 15:07, Alan DeKok wrote:
You can map that VLAN number to a server-side attribute. Then, copy
it to the correct tunnel attribute when you want.
e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
if (... i want to send vlan) {
update reply {
Tunnel-Private-Group-Id = %{Tmp-String-0}
...
}
}
OK getting closer...
ldap.attrmap contains:
replyItem Tmp-String-0destinationindicator
post-auth section contains:
if ((!reply:Tmp-String-0) || (reply:Tmp-String-0 == )) {
update reply {
Tunnel-Private-Group-Id = 666
}
}
else {
update reply {
Tunnel-Private-Group-Id = %{Tmp-String-0}
}
}
debug output shows:
++? if ((!reply:Tmp-String-0) || (reply:Tmp-String-0 == ))
?? Evaluating !(reply:Tmp-String-0) - TRUE
?? Evaluating (reply:Tmp-String-0 == ) - FALSE
++? if ((!reply:Tmp-String-0) || (reply:Tmp-String-0 == )) - FALSE
++- entering else else
expand: %{Tmp-String-0} -
So Tmp-String-0 supposedly is there, and isn't empty, but I cant get the
data out of it.
In the packet back it is set to:
Tunnel-Private-Group-Id:0 =
What am I missing?
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
if (... i want to send vlan) {
update reply {
Tunnel-Private-Group-Id = %{Tmp-String-0}
reply:Tmp-String-0
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 16:21, Ivan Kalik wrote:
e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
if (... i want to send vlan) {
update reply {
Tunnel-Private-Group-Id = %{Tmp-String-0}
reply:Tmp-String-0
Pants! I was almost certain I'd tried that previously and it had failed.
Tis working now though :)
Thanks
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
Ivan Kalik wrote: reply:Tmp-String-0 Whoops.. that's my typo. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fallback LDAP Attribute Value
Hi list, I have the following line in my ldap.attrmap file to pull back a users VLAN assignment: replyItem Tunnel-Private-Group-ID destinationIndicator The users file contains the following: DEFAULT Ldap-Group == allowed-access Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 For the users which are in the allowed-access group those which have a value in the destinationIndicator attribute in LDAP work OK and are flipped into the appropriate VLAN. How do I specify a fallback so that if the user does not have this attribute set or it is empty then they are put into VLAN 666 for example. Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
I have the following line in my ldap.attrmap file to pull back a users
VLAN assignment:
replyItemTunnel-Private-Group-ID destinationIndicator
The users file contains the following:
DEFAULT Ldap-Group == allowed-access
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802
For the users which are in the allowed-access group those which have a
value in the destinationIndicator attribute in LDAP work OK and are
flipped into the appropriate VLAN. How do I specify a fallback so that
if the user does not have this attribute set or it is empty then they
are put into VLAN 666 for example.
Use unlang. Put something like this in post-auth:
if(reply:Tunnel-Private-Group-ID == ) {
update reply {
Tunnel-Private-Group-ID = 666
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
Hi Ivan
On 7/7/09 14:29, Ivan Kalik wrote:
Use unlang. Put something like this in post-auth:
if(reply:Tunnel-Private-Group-ID == ) {
update reply {
Tunnel-Private-Group-ID = 666
}
}
I've tried this in both the default and inner-tunnel post-auth sections
and neither returned the value 666 in the Radius Accept. Do I need to
add anything as a placeholder in the users config file?
Thanks
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 7/7/09 15:48, Steven Carr wrote:
Hi Ivan
On 7/7/09 14:29, Ivan Kalik wrote:
Use unlang. Put something like this in post-auth:
if(reply:Tunnel-Private-Group-ID == ) {
update reply {
Tunnel-Private-Group-ID = 666
}
}
I've tried this in both the default and inner-tunnel post-auth sections
and neither returned the value 666 in the Radius Accept. Do I need to
add anything as a placeholder in the users config file?
Digging into debug came back with:
++? if (reply:Tunnel-Private-Group-ID == )
(Attribute reply:Tunnel-Private-Group-ID was not found)
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
Use unlang. Put something like this in post-auth:
if(reply:Tunnel-Private-Group-ID == ) {
update reply {
Tunnel-Private-Group-ID = 666
}
}
I've tried this in both the default and inner-tunnel post-auth sections
and neither returned the value 666 in the Radius Accept. Do I need to
add anything as a placeholder in the users config file?
Digging into debug came back with:
++? if (reply:Tunnel-Private-Group-ID == )
(Attribute reply:Tunnel-Private-Group-ID was not found)
OK, try:
if (!reply:Tunnel-Private-Group-ID)
that should cover the case when there is no ldap attribute in user
profile. If attribute can be empty or missing you will need to OR those
two expessions.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 7/7/09 16:04, Ivan Kalik wrote:
OK, try:
if (!reply:Tunnel-Private-Group-ID)
that should cover the case when there is no ldap attribute in user
profile. If attribute can be empty or missing you will need to OR those
two expessions.
Thanks Ivan, the following in the post-auth section of the default file
works:
if ((!reply:Tunnel-Private-Group-ID) || (reply:Tunnel-Private-Group-ID
== )) {
update reply {
Tunnel-Private-Group-ID = 666
}
}
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 7/7/09 16:16, Steven Carr wrote:
Thanks Ivan, the following in the post-auth section of the default file
works:
if ((!reply:Tunnel-Private-Group-ID) || (reply:Tunnel-Private-Group-ID
== )) {
update reply {
Tunnel-Private-Group-ID = 666
}
}
OK for my next part on this subject, this returns the values for all
users regardless of what they are connecting to. Is it possible to
either restrict this value to only be returned to a particular huntgroup
or to remove this value from being returned from the huntgroups that
don't need it.
We are doing 802.1x and only want the 802.1x attributes to be returned
to our cisco switches.
E.g. I have a huntgroup called ciscoswitches which has all of our
switches listed in it. In the users file I have the following
declaration to add the 802.1x attributes:
DEFAULT Huntgroup-Name == ciscoswitches
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Fall-Through = Yes
The Tunnel-Private-Group-ID is then added from the post-auth, which is
fine for this huntgroup, but I don't want it there for the rest of them.
Thanks
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
Thanks Ivan, the following in the post-auth section of the default file
works:
if ((!reply:Tunnel-Private-Group-ID) || (reply:Tunnel-Private-Group-ID
== )) {
update reply {
Tunnel-Private-Group-ID = 666
}
}
OK for my next part on this subject, this returns the values for all
users regardless of what they are connecting to. Is it possible to
either restrict this value to only be returned to a particular huntgroup
or to remove this value from being returned from the huntgroups that
don't need it.
Yes.
if(((!reply:...) || (reply:... = )) Huntgroup-Name = whatever)
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? ldap.attrmap file in raddb directory. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like ITISCP and ENISCP. I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). No. You can define your own attribute (let's say VLAN-Flag) in raddb/dictionary and use unlang in authorize section to test and set tunnel attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Tue, Feb 17, 2009 at 9:50 AM, t...@kalik.net wrote: Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like ITISCP and ENISCP. I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). No. You can define your own attribute (let's say VLAN-Flag) in raddb/dictionary and use unlang in authorize section to test and set tunnel attributes. Thanks Ivan, I've configured a dictionary value userORGUNIT and added a ldap.attrmap mapping. I've tried to perform a comparison operation on the value of userORGUNIT in the config file: users. i.e DEFAULT userORGUNIT == HR Tunnel-Private-Group-Id = 226 But this does not match, even though debug shows rlm_ldap: Adding userORGUNIT as userORGUNIT, value HR op=21 Is this the correct location for these comparison operations? There are around 50 userORGUNIT''s that I need to compare against. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like ITISCP and ENISCP. I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). No. You can define your own attribute (let's say VLAN-Flag) in raddb/dictionary and use unlang in authorize section to test and set tunnel attributes. Thanks Ivan, I've configured a dictionary value userORGUNIT and added a ldap.attrmap mapping. I've tried to perform a comparison operation on the value of userORGUNIT in the config file: users. i.e DEFAULT userORGUNIT == HR Tunnel-Private-Group-Id = 226 But this does not match, even though debug shows rlm_ldap: Adding userORGUNIT as userORGUNIT, value HR op=21 Is this the correct location for these comparison operations? There are around 50 userORGUNIT''s that I need to compare against. Files are normally listed before ldap in authorize. Use unlang switch command *after* ldap entry. Or list files after ldap if you are using an old version. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Tue, Feb 17, 2009 at 11:04 AM, t...@kalik.net wrote: Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like ITISCP and ENISCP. I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). No. You can define your own attribute (let's say VLAN-Flag) in raddb/dictionary and use unlang in authorize section to test and set tunnel attributes. Thanks Ivan, I've configured a dictionary value userORGUNIT and added a ldap.attrmap mapping. I've tried to perform a comparison operation on the value of userORGUNIT in the config file: users. i.e DEFAULT userORGUNIT == HR Tunnel-Private-Group-Id = 226 But this does not match, even though debug shows rlm_ldap: Adding userORGUNIT as userORGUNIT, value HR op=21 Is this the correct location for these comparison operations? There are around 50 userORGUNIT''s that I need to compare against. Files are normally listed before ldap in authorize. Use unlang switch command *after* ldap entry. Or list files after ldap if you are using an old version. Ivan, I'm using version 1.1.3 so, I moved the files entry below the ldap entry but my DEFAULT entry in the file: users does not match or return any value. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
I'm using version 1.1.3 so, I moved the files entry below the ldap entry but my DEFAULT entry in the file: users does not match or return any value. You should upgrade. Did something else match in files? Post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Tue, Feb 17, 2009 at 11:44 AM, t...@kalik.net wrote: I'm using version 1.1.3 so, I moved the files entry below the ldap entry but my DEFAULT entry in the file: users does not match or return any value. You should upgrade. Did something else match in files? Post the debug. Stuck with this version for now. I have a catchall DEFAULT entry with no comparison which set the vlan. But it didn't match on the userORGUNIT ldap attribute. value modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for asmith radius_xlat: '((objectClass=inetOrgPerson)(cn=asmith))' radius_xlat: 'o=sut' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=sut, with filter ((objectClass=inetOrgPerson)(cn=asmith)) rlm_ldap: checking if remote access for asmith is allowed by userORGUNIT rlm_ldap: looking for check items in directory... rlm_ldap: Adding userORGUNIT as userORGUNIT, value ISITCP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user asmith authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 users: Matched entry DEFAULT at line 25 modcall[authorize]: module files returns ok for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 35 to xxx.xxx.xxx.xxx port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 226 EAP-Message = 0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e00 Message-Authenticator = 0x State = 0xb4d641b20399b8f92c0d9fb148763ead Finished request 2 Going to the next request The users file looks like: DEFAULT userORGUNIT == ISITCP tunnel-type = VLAN, tunnel-medium-type = IEEE-802, tunnel-private-group-ID = 5, Fall-Through = No DEFAULT tunnel-type = VLAN, tunnel-medium-type = IEEE-802, tunnel-private-group-ID = 226, Fall-Through = No Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
I'm using version 1.1.3 so, I moved the files entry below the ldap entry but my DEFAULT entry in the file: users does not match or return any value. You should upgrade. Did something else match in files? Post the debug. Stuck with this version for now. I have a catchall DEFAULT entry with no comparison which set the vlan. But it didn't match on the userORGUNIT ldap attribute. value Upgrade. Checking control:My-Attribute with unlang works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? Hi, I don't remember exactly what I did on version 1. Please see: http://vuksan.com/linux/dot1x/802-1x-LDAP.html for some hints. I had something like DEFAULT Auth-Type .= LDAP Reply-Message = Auth by LADP in my users file. Other attributes stored in an object of objectClass radiusprofile should be added automatically to the Reply attributes. It is much simpler in verison 2 of FreeRADIUS. It nearly works out of the box. Just uncomment the ldap part in authorization and authentication sections. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? Hi, I don't remember exactly what I did on version 1. Please see: http://vuksan.com/linux/dot1x/802-1x-LDAP.html for some hints. I had something like DEFAULT Auth-Type .= LDAP Reply-Message = Auth by LADP in my users file. Other attributes stored in an object of objectClass radiusprofile should be added automatically to the Reply attributes. I don't actually want to add radiusprofile attributes to my LDAP. The users already have an attribute which identifies their department. I want to be able to say if department attribute = X then allocate VLAN Y. Can this be done without specifically setting the vlan etc as radiusprofile attributes. Also I am not using ldap for the authentication, just authorization. The authentication is done using ntlm_auth. It is much simpler in verison 2 of FreeRADIUS. It nearly works out of the box. Just uncomment the ldap part in authorization and authentication sections. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? Hi, I don't remember exactly what I did on version 1. Please see: http://vuksan.com/linux/dot1x/802-1x-LDAP.html for some hints. I had something like DEFAULT Auth-Type .= LDAP Reply-Message = Auth by LADP in my users file. Other attributes stored in an object of objectClass radiusprofile should be added automatically to the Reply attributes. I don't actually want to add radiusprofile attributes to my LDAP. The users already have an attribute which identifies their department. I want to be able to say if department attribute = X then allocate VLAN Y. Can this be done without specifically setting the vlan etc as radiusprofile attributes. Also I am not using ldap for the authentication, just authorization. The authentication is done using ntlm_auth. Then you would habe to re-map some LDAP-attribute of your objectClass to Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the users file. Please see the ldap.attrmap in your raddb dir for the mapping of attributes. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? Hi, I don't remember exactly what I did on version 1. Please see: http://vuksan.com/linux/dot1x/802-1x-LDAP.html for some hints. I had something like DEFAULT Auth-Type .= LDAP Reply-Message = Auth by LADP in my users file. Other attributes stored in an object of objectClass radiusprofile should be added automatically to the Reply attributes. I don't actually want to add radiusprofile attributes to my LDAP. The users already have an attribute which identifies their department. I want to be able to say if department attribute = X then allocate VLAN Y. Can this be done without specifically setting the vlan etc as radiusprofile attributes. Also I am not using ldap for the authentication, just authorization. The authentication is done using ntlm_auth. Then you would habe to re-map some LDAP-attribute of your objectClass to Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the users file. Please see the ldap.attrmap in your raddb dir for the mapping of attributes. Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like ITISCP and ENISCP. I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). Cheers Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? Hi, I don't remember exactly what I did on version 1. Please see: http://vuksan.com/linux/dot1x/802-1x-LDAP.html for some hints. I had something like DEFAULT Auth-Type .= LDAP Reply-Message = Auth by LADP in my users file. Other attributes stored in an object of objectClass radiusprofile should be added automatically to the Reply attributes. I don't actually want to add radiusprofile attributes to my LDAP. The users already have an attribute which identifies their department. I want to be able to say if department attribute = X then allocate VLAN Y. Can this be done without specifically setting the vlan etc as radiusprofile attributes. Also I am not using ldap for the authentication, just authorization. The authentication is done using ntlm_auth. Then you would habe to re-map some LDAP-attribute of your objectClass to Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the users file. Please see the ldap.attrmap in your raddb dir for the mapping of attributes. Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like ITISCP and ENISCP. I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). Even more complicated. Sorry., I did not read your previous mail completely. Sending the department attribute (i.e. ITISCP) might work if the switch understand it and can map it to the correct VLAN numbers. As fas as I know, this can be done with Cisco. On other switches you have to see in the user manual if you can attach names to VLANs. Otherwise you would have to add a new ou=profiles with severeal cn=profile of the objectClass radiusprofile. This radiusprofile would indicate the correct VLAN number. Then you could use the profile_attribute of the ldap module to point to the correct LDAP attribute of the user object that points to the correct attribute. But you would have to fill that attribute manually with something like: cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org Perhaps it is better to do that automated by scripting deducted from the department attribute every hour. But when you start scripting that you also could deduct the VLAN number fro mthe department and fill this into a attribute of the user itself and change ldap.attrmap pointing to that attribute. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy:
On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff
mi...@multinet.de wrote:
Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy:
On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff
mi...@multinet.de wrote:
Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy:
On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff
mi...@multinet.de wrote:
Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy:
I have a working radius server (ver 1.1.3). which I am using for
802.1x authentication of wired switch ports. I would like to
dynamically assign users vlans. I have cisco gear and have
achieved basic vlan allocation by configuring a Default entry in
the users file. So the vlan allocation part works ok.
What I want to be able to do is allocate the vlan by matching the
value of an LDAP attribute. Not by group membership, but the
actual value of a users attribute. Is this possible?
Cheers,
Dealy
Yes. Just assign these attributes to the user object in LDAP.
I have a value set for an attribute in LDAP, how do I extract the
value from the attribute and do a comparison on it in the users file
so I can set the VLAN?
Hi,
I don't remember exactly what I did on version 1. Please see:
http://vuksan.com/linux/dot1x/802-1x-LDAP.html
for some hints.
I had something like
DEFAULT Auth-Type .= LDAP
Reply-Message = Auth by LADP
in my users file. Other attributes stored in an object of objectClass
radiusprofile should be added automatically to the Reply attributes.
I don't actually want to add radiusprofile attributes to my LDAP. The
users already have an attribute which identifies their department. I
want to be able to say if department attribute = X then allocate VLAN
Y. Can this be done without specifically setting the vlan etc as
radiusprofile attributes. Also I am not using ldap for the
authentication, just authorization. The authentication is done using
ntlm_auth.
Then you would habe to re-map some LDAP-attribute of your objectClass to
Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and
Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the
users file.
Please see the ldap.attrmap in your raddb dir for the mapping of
attributes.
Am I correct in saying that the LDAP-attribute that is mapped to
Tunnel-Private-Group-ID would need to be set to the value of the the
VLAN I require? The LDAP-attribute that I wish to use curently
contains values like ITISCP and ENISCP. I want to say if
attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID
= 226). Using ldap.attrmap mappings I would need to store the
required vlan in a LDAP attribute. (I can't change the LDAP only read
it).
Cheers
Hi,
forget my last mail. I did not think to the end.
Create a radiusprofile Object, fill in the correct VLAN values for the
depertments and setup group membership to your needs accoding to section
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter = (|((objectClass=GroupOfNames)
(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)
(uniquemember=%{control:Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
Then the group points to the department and the radiusprofile object of that
department adds the correct VLAN number.
--
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75
mail: mi...@multinet.de
web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Fri, Feb 13, 2009 at 11:22 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? Hi, I don't remember exactly what I did on version 1. Please see: http://vuksan.com/linux/dot1x/802-1x-LDAP.html for some hints. I had something like DEFAULT Auth-Type .= LDAP Reply-Message = Auth by LADP in my users file. Other attributes stored in an object of objectClass radiusprofile should be added automatically to the Reply attributes. I don't actually want to add radiusprofile attributes to my LDAP. The users already have an attribute which identifies their department. I want to be able to say if department attribute = X then allocate VLAN Y. Can this be done without specifically setting the vlan etc as radiusprofile attributes. Also I am not using ldap for the authentication, just authorization. The authentication is done using ntlm_auth. Then you would habe to re-map some LDAP-attribute of your objectClass to Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the users file. Please see the ldap.attrmap in your raddb dir for the mapping of attributes. Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like ITISCP and ENISCP. I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). Even more complicated. Sorry., I did not read your previous mail completely. Sending the department attribute (i.e. ITISCP) might work if the switch understand it and can map it to the correct VLAN numbers. As fas as I know, this can be done with Cisco. On other switches you have to see in the user manual if you can attach names to VLANs. Otherwise you would have to add a new ou=profiles with severeal cn=profile of the objectClass radiusprofile. This radiusprofile would indicate the correct VLAN number. Then you could use the profile_attribute of the ldap module to point to the correct LDAP attribute of the user object that points to the correct attribute. But you would have to fill that attribute manually with something like: cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org Perhaps it is better to do that automated by scripting deducted from the department attribute every hour. But when you start scripting that you also could deduct the VLAN number fro mthe department and fill this into a attribute of the user itself and change ldap.attrmap pointing to that attribute. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for your help. Looks like I need to talk to the ldap admins and get them to script populating the radiusprofile attributes. It's a pity, because getting changes made to ldap becomes a big red tape exercise within the department. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 13:39:49 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 11:22 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? Hi, I don't remember exactly what I did on version 1. Please see: http://vuksan.com/linux/dot1x/802-1x-LDAP.html for some hints. I had something like DEFAULT Auth-Type .= LDAP Reply-Message = Auth by LADP in my users file. Other attributes stored in an object of objectClass radiusprofile should be added automatically to the Reply attributes. I don't actually want to add radiusprofile attributes to my LDAP. The users already have an attribute which identifies their department. I want to be able to say if department attribute = X then allocate VLAN Y. Can this be done without specifically setting the vlan etc as radiusprofile attributes. Also I am not using ldap for the authentication, just authorization. The authentication is done using ntlm_auth. Then you would habe to re-map some LDAP-attribute of your objectClass to Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the users file. Please see the ldap.attrmap in your raddb dir for the mapping of attributes. Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like ITISCP and ENISCP. I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). Even more complicated. Sorry., I did not read your previous mail completely. Sending the department attribute (i.e. ITISCP) might work if the switch understand it and can map it to the correct VLAN numbers. As fas as I know, this can be done with Cisco. On other switches you have to see in the user manual if you can attach names to VLANs. Otherwise you would have to add a new ou=profiles with severeal cn=profile of the objectClass radiusprofile. This radiusprofile would indicate the correct VLAN number. Then you could use the profile_attribute of the ldap module to point to the correct LDAP attribute of the user object that points to the correct attribute. But you would have to fill that attribute manually with something like: cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org Perhaps it is better to do that automated by scripting deducted from the department attribute every hour. But when you start scripting that you also could deduct the VLAN number fro mthe department and fill this into a attribute of the user itself and change ldap.attrmap pointing to that attribute. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for your help. Looks like I need to talk to the ldap admins and get them to script populating the radiusprofile attributes. It's
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy: On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff mi...@multinet.de wrote: Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. I have a value set for an attribute in LDAP, how do I extract the value from the attribute and do a comparison on it in the users file so I can set the VLAN? Hi, I don't remember exactly what I did on version 1. Please see: http://vuksan.com/linux/dot1x/802-1x-LDAP.html for some hints. I had something like DEFAULT Auth-Type .= LDAP Reply-Message = Auth by LADP in my users file. Other attributes stored in an object of objectClass radiusprofile should be added automatically to the Reply attributes. I don't actually want to add radiusprofile attributes to my LDAP. The users already have an attribute which identifies their department. I want to be able to say if department attribute = X then allocate VLAN Y. Can this be done without specifically setting the vlan etc as radiusprofile attributes. Also I am not using ldap for the authentication, just authorization. The authentication is done using ntlm_auth. Then you would habe to re-map some LDAP-attribute of your objectClass to Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the users file. Please see the ldap.attrmap in your raddb dir for the mapping of attributes. Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like ITISCP and ENISCP. I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). Cheers Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html See also: http://www.linux-magazine.com/issue/52/Freeradius_802.1X.pdf -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic Vlan Allocation based on LDAP Attribute Value
I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy Yes. Just assign these attributes to the user object in LDAP. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem returning a mapped LDAP attribute in EAP auths.
Hi, I'm migrating to FR2.0.5. After setting the new conf style, everything runs smooth and ok... but now I have a strange behavior: I have an attribute mapped in ldap.attrs file (as in FR1.1) but it's returned in the Access packet only in clear auths; with EAP auths, it is mapped (as -X shows), but it is not returned... Both sites-enabled/* files has the same conf: ldap uncommented in author. and authent. sections. Do I have to activate something more? Does the virtual_server configuration change returned attrs in some way? (different default modules activated)? Thanx for any suggestion. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem returning a mapped LDAP attribute in EAP auths.
Roberto S. G. wrote: Hi, I'm migrating to FR2.0.5. After setting the new conf style, everything runs smooth and ok... but now I have a strange behavior: I have an attribute mapped in ldap.attrs file (as in FR1.1) but it's returned in the Access packet only in clear auths; with EAP auths, it is mapped (as -X shows), but it is not returned... Both sites-enabled/* files has the same conf: ldap uncommented in author. and authent. sections. Did you set use_tunneled_reply in eap.conf? This is also in 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap attribute config stuff
Ok, to begin I am not a radius guru. In fact, the word novice applies very strongly here That being said on to my inquiry. I have two radius systems on site. One of them is for our wireless system and the other for our old trying to die dialup. The wireless system is setup to authenticate to our LDAP repository and make sure that users have a particular attribute before letting them on. Our dial up system is a big mess of flat files on a version of the software I wont admit to. I would very much like to get the radius server doing the wireless work to also do our dial up work. To do this I have loaded some attributes into our LDAP server for it to query, but then I run into a bit of a problem. How do I configure a required attribute of Wireless=yes for one set of clients and an attribute of DialUP=yes for the other? Can this be done? Did I miss the doc on this? Solaris 9 SPARC, FreeRadius 1.1.6 Any help I can get on this would be very appreciated. Pat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
