unlang to overcome cisco zero tag issue and for dynamic vlan assignment

Phil Mayers p.mayers at imperial.ac.uk
Thu Apr 10 11:36:20 CEST 2008 

bluelip at gmail.com wrote:
> We'd like to setup the following:
> 
> A workstation is booted, the supplicant asks for the credentials, the cisco switch pa
> sses the credentials to a freeradius server, freeradius authenticates the user to an 
> edirectory ldap server, freeradius decides which  Tunnel-Private-Group-Id to send bac
> k to the switch to place the user into the correct VLAN.
> 
> The authentication/authorization works fine. The cisco switch accepts the returned VL
> AN info if we 'hard code it into the users files such as with:
> 
> DEFAULT
> Tunnel-Private-Group-ID:1 := 901
> Tunnel-Type:1 = VLAN,
> Tunnel-Medium-Type:1 = IEEE-802
> 
> We attempted to make the configuration more generic by setting Tunnel-Private-Group-I
> D equal to an LDAP attribute in ldap.attrmap. This would automatically associate the 
> VLAN ID w/ the user.
> 
> replyItem       Tunnel-Private-Group-ID         ourldapattribforthevlan
> 
> That didn't work because freeradius wasn't associating a tag with the attribute(or wa
> s setting it to zero when responding to the switch. A wireshark capture confirmed the
>  0 tag. We attempted to add a :1 after Tunnel-Private-Group-ID, but that didn't pan o
> ut either.
> 
> We then attempted to use unlang in the users file to accomplish the same thing. (Tunn

unlang doesn't live in the users file; it lives in the config file, like so:

server {
   authorize {
     preprocess
     ldap
     update reply {
       Tunnel-Private-Group-Id:1 := "%{reply:Tunnel-Client-Endpoint}"
     }
   }
}

> el-Client-Endpoint was added to ldap.attrmap as dummy variable to hold the 'ourldapat
> tribforthevlan' from LDAP)
> 
> 
> DEFAULT
>     Tunnel-Private-Group-ID:1 := `%{reply:Tunnel-Client-Endpoint}`,
>     Tunnel-Type:1 = VLAN,
>     Tunnel-Medium-Type:1 = IEEE-802

This isn't "unlang" - it's just a plain "files" module entry.

> 
> With this configuration, we tried countless combinations of backticks, single quotes,
>  and double quotes. The best response we could send back to the switch was:
>         Tunnel-Type:1 = VLAN
>         Tunnel-Medium-Type:1 = IEEE-802
>         Tunnel-Private-Group-Id:1 = ""           

It looks to me like the "files" module was running before the "ldap" module.

> 
> Has anyone else come across the issue with Cisco not dealing w/ 0 tags? Is there a wa

I have not. RFC2868 seems pretty clear that a "0" tag is permitted. I've 
used vlan assignment with a cisco (formarly Airespace) WISM and it will 
take a "0" tag.

What platform & IOS version are you on?

> y to use unlang to pull in the variables to be used in the users file?

As I say, unlang doesn't run in the users file - think of it as 
conditional branching and so forth for the config file.

> 
> Thank you for taking the time to read this. After a couple of days of searching, we s
> till haven't come up w/ the correct search terms for google.
> 
> Thank you,
> Mike Coles
> 
> --
> This message was sent on behalf of bluelip at gmail.com at openSubscriber.com
> http://www.opensubscriber.com/messages/freeradius-users@lists.freeradius.org/topic.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list