assigning vlan based on LDAP attribute

Matt Ashfield mda at unb.ca
Wed Sep 27 18:57:08 CEST 2006


My ldap section from radiusd.conf looks like:
ldap {
                server = "ldapserver.net.org"
                identity = "uid=name,dc=net,dc=org"
                password = password
                basedn = "ou=stuffdc=net,dc=org"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword
                groupmembership_attribute = eduPersonPrimaryAffiliation
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

My users file contains the following at the end:
DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff
       User-Name=`%{User-Name}`,
       Tunnel-Medium-Type=IEEE-802,
       Tunnel-Private-Group-Id=2,
       Tunnel-Type=VLAN,
       Fall-Through = no

My huntgroups file has:
myAP            NAS-IP-Address == x.x.x.141

In my Debug I noticed that although I have them commented out of
radiusd.conf, I still see:
Debug:  ldap: groupname_attribute = "cn"
Debug:  ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"

You asked:
* is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP which uses
other format).
How do I check that?

Thanks

Matt


-----Original Message-----
From: Thibault Le Meur [mailto:Thibault.LeMeur at supelec.fr] 
Sent: September 27, 2006 1:36 PM
To: mda at unb.ca
Cc: 'FreeRadius users mailing list'
Subject: RE : assigning vlan based on LDAP attribute


 
> I'm a bit confused on this one.
> 
> I want my users vlan'd based on their affiliation (ie, staff, 
> student) In my radiusd.conf file, under ldap, I've put:
> 
> groupmembership_attribute = eduPersonPrimaryAffiliation

That's a good start, but sending the whole ldap configuration section would
help.

> Do I need to do more in my radiusd.conf file than that?

I think you hould check that you do not have groupname_attribute and
groupmembership_filter set.

> I assume this means assign them to a group based on the value 
> stored in the LDAP field eduPersonPrimaryAffiliation
> 
> I then added to my users file:
> DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff
>        User-Name=`%{User-Name}`,
>        Tunnel-Medium-Type=IEEE-802,
>        Tunnel-Private-Group-Id=2,
>        Tunnel-Type=VLAN,
>        Fall-Through = no

There are several things to check here:
* is the NAS-IP-ADDRESS of the AccessPoint defined in the huntgroup "myAP"
in your huntgroups file ?
* is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP which uses
other format).

The best way to check this is to stop your radius server and run it manually
with "radiusd -X".

Then send the debug log to the list (take care passwords are written
cleartext). 

> But this doesn't seem to work. My staff users do not get 
> assigned to vlan 2. Do I need to make a huntgroup for myAP? 

Of course... Unless you remove the "Huntgroup-Name == myAP," check item

HTH,
Thibault






More information about the Freeradius-Users mailing list