LDAP->RADIUS Attribute Mapping

Owen DeLong owen at delong.com
Fri Dec 8 17:03:42 CET 2006


I have an environment where I am already using LDAP for AAA for a  
number of things.

We have historically used the AuthorizedService attribute in LDAP to  
control the level
of access available to the user.  We would like to continue to do  
so.  However, in order
for that to work, I need to map AuthorizedService to different RADIUS  
attributes in
the response depending on the authentication client.

Ideally, I'd like to be able to map RADIUS clients into "groups" and  
have a mapping
of AuthorizedService values for each group.  The client groups would,  
ideally,
be defined by matching the client IP address. An example of what I'd  
like that
mapping to look like is below:

Client Group			AuthorizedService			RADIUS Attribute in Reply
==============	======================	=======================
PIX Group 1			Pix1Auth1					cisco-avpair="shell:priv-lvl=1"
PIX Group 1			Pix1Auth7					cisco-avpair="shell:priv-lvl=7"
PIX Group 1			Pix1Auth15					cisco-avpair="shell:priv-lvl=15"
PIX Group 2			Pix2auth1					cisco-avpair="shell:priv-lvl=1"
...
Router Grp 1			Rtr1Auth1					cisco-avpair="shell:priv-lvl=1"
...
LB Group 1			LBAdmin					Service-Type="Authenticate-Only"
...
etc.

Is there any way to do this kind of dynamic mapping in FreeRadius?   
As near as I
can tell, all I can do is statically map the contents of a particular  
LDAP attribute
to a single RADIUS attribute.  I'd also like to avoid mapping values of
AuthorizedService which don't apply to the particular RADIUS client.

I'm assuming I probably need to use something like rlm_perl to do  
this, and,
I have no problem doing that, but, I have been unable to decipher the
documentation to rlm_perl enough to have any confidence in creating a
working solution.

If anyone could provide a configuration example or a pointer to  
documentation
that actually describes the various pieces of solving this problem,  
I'd be very
grateful.

Alan, your flames and RTFM comments are welcome, but, please understand,
I've done my best to RTFM before posting this.

Owen




More information about the Freeradius-Users mailing list