using different LDAP queries to authorize for different services

Alan DeKok aland at deployingradius.com
Thu Apr 3 21:01:01 CEST 2008 

Sylvain Robitaille wrote:
> On the one hand, "OH!!!"  I think I'm starting to understand, but on the
> other hand, I appear to still not be doing it quite right.  I put into
> the "authorize" section of sites-available/default:
...
> However, then the request carries on to the inner-tunnel of the TTLS
> transaction (whether or not the outer authorization succeeded or returned
> not found;  is it possible to equate "notfound" to "fail" or "reject"?).

  Yes.

	if (notfound) {
		fail
	}

> If I configure sites-available/inner-tunnel's authorization section as
> above, when it gets to that point, debug output says:
> 
>    ++? if (NAS-Port-Type == Wireless-802.11)
>        (Attribute NAS-Port-Type was not found)

  Set copy_request_to_tunnel in eap.conf.  Or, do:

	if (outer.NAS-Port-Type == Wireless-802.11) {
		...

  Again, "man unlang" explains "outer.*".

> In other words, despite having found the user in the ldap_wireless
> search in sites-available/default, the inner-tunnel seems to not receive
> sufficient information about the request to decide to use the
> ldap_wireless module, leaving the RADIUS server with no way to
> authenticate the user.  This is despite ldap_wireless in
> sites-available/default having produced:

  If you're using TTLS, you *don't* want to do username/password lookups
in ldap for sites-enabled/default.  That's what the "inner-tunnel"
server is for.  Do the LDAP calls there.

> And also despite the debug output of the request arriving at inner-tunnel
> *appearing* to contain items sufficient for me to select on:

  No... that looks like the *outer* tunnel data.  Inner tunnel requests
do *not* have a Message-Authenticator attribute.

> If I put in inner-tunnel:
...
> Then 

  Stop.  You are trying too many options, and too many different
configurations.  It's not worth it.

  Keep the outer and inner tunnel configurations separate.  That's why
they are in different virtual servers... because they are separate.

  In the inner tunnel server, use "outer.Attribute-Name" to access
attributes *outside* of the tunnel.

  Honestly, it's not that difficult.  Find *something* in the outer
request that is there only for wireless requests.  Key off of that in
the *inner* tunnel to select the users from the correct LDAP instance.

	if (outer.NAS-Port-Type == foo) {
		ldap_foo
	}
	elsif (outer.NAS-Port-Type == bar) {
		ldap_bar
	}

  Alan DeKok.

More information about the Freeradius-Users mailing list