ldap filter depending on NAS

Matthieu Lazaro matthieu.lazaro at eservglobal.com
Thu Apr 23 11:33:38 CEST 2009 

Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>   
>> OK, so tell me where to implement complex policies?
>>     
>
>   I've been trying.
>
>   You need to write down what you have (in RADIUS packets, LDAP, etc.).
>  You need to write down what you want (contents of reply packets,
> behaviors, etc.).  You then need to write down a process for converting
> one into the other.
>
>   This is programming.  It is practically and theoretically impossible
> to describe how to write any program.  You MUST figure it out for yourself.
>
>   
>> And when you say "that cannot be implemented with the LDAP module", do
>> you mean that all those fields added by RADIUS-LDAPv3.schema are useless?
>>     
>
>   Ah, yes.  You didn't get *exactly* what you wanted, so you're looking
> for ways to fight back, and claim that the software is crappy.
>
>   
>> And finally, can you say that when a dumb users plugs in the wrong VLAN,
>> like a admin VLAN, I cannot deny him or put him automatically in the
>> right VLAN with radius?
>>     
>
>   I didn't say that, and no amount of distortion of my messages could
> lead you to believe I said that.
>
>   You seemed to have turned my response of "assign users into a vlan",
> into "you cannot assign users into a vlan".  While ingenious, it is
> distinctly unproductive.
>
>   As a simple hint: Why the HELL do you care which VLAN the user is
> requesting?  Just assign them to the right VLAN.  If the switch doesn't
> enforce that VLAN assignment, then BLAME THE SWITCH.  Don't blame
> FreeRADIUS, like most people do in this situation.
>
>   Again, you are going out of your way to create complexity where none
> is necessary.  This causes you to be confused about how the server
> works.  It causes you to try to configure impossible things.  It causes
> you to be rude on the list when we tell you "don't do it that way."
>
>   Alan DeKok.
> -
>   
Sorry if you thought I was being rude, this was not my intention.
I think we didn't understand each other and this is probably because my
questions are not clear enough because I have such precise idea of what
I want radius to do.
I should have explained the problem the other way round maybe.
Furthermore, I never though that it was"crappy" software and I actually
thinks it's amazing what we can do with it and it seems like it is
unlimited.
But it is very complex, and there is lot of different actors in the
process that must be taken into account ( like the supplicant, the NAS,
the backends (ldap, sql,etc..)).

I try to ask my questions more precisely:
 * what are the radius ldap attributes meant for? Is only for accounting
or can we use them for something else?
 *  I have understood that it is better to put the user directly in the
correct VLAN rather than checking his request and deny him: do I have to
do something special in Radius to forward LDAP  attributes info to the
switch?
( I am reading again the switch's documentation to figure how to parse
the attributes instead of using static vlans)
 
Best regards,

Matt

More information about the Freeradius-Users mailing list