Dynamic Vlan Allocation based on LDAP Attribute Value

Michael Schwartzkopff misch at multinet.de
Fri Feb 13 13:47:27 CET 2009 

Am Freitag, 13. Februar 2009 13:39:49 schrieb Paul Dealy:
> On Fri, Feb 13, 2009 at 11:22 PM, Michael Schwartzkopff
>
> <misch at multinet.de> wrote:
> > Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy:
> >> On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff
> >>
> >> <misch at multinet.de> wrote:
> >> > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy:
> >> >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff
> >> >>
> >> >> <misch at multinet.de> wrote:
> >> >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy:
> >> >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff
> >> >> >>
> >> >> >> <misch at multinet.de> wrote:
> >> >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy:
> >> >> >> >> I have a working radius server (ver 1.1.3). which I am using
> >> >> >> >> for 802.1x authentication of wired switch ports.  I would like
> >> >> >> >> to dynamically assign users vlans.  I have cisco gear and have
> >> >> >> >> achieved basic vlan allocation by configuring a Default entry
> >> >> >> >> in the users file.   So the vlan allocation part works ok.
> >> >> >> >>
> >> >> >> >> What I want to be able to do is allocate the vlan by matching
> >> >> >> >> the value of an LDAP attribute.  Not by group membership, but
> >> >> >> >> the actual value of a users attribute.  Is this possible?
> >> >> >> >>
> >> >> >> >> Cheers,
> >> >> >> >> Dealy
> >> >> >> >
> >> >> >> > Yes. Just assign these attributes to the user object in LDAP.
> >> >> >>
> >> >> >> I have a value set for an attribute in LDAP, how do I "extract"
> >> >> >> the value from the attribute  and do a comparison on it in the
> >> >> >> users file so I can set the VLAN?
> >> >> >
> >> >> > Hi,
> >> >> >
> >> >> > I don't remember exactly what I did on version 1. Please see:
> >> >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html
> >> >> > for some hints.
> >> >> >
> >> >> > I had something like
> >> >> >
> >> >> > DEFAULT Auth-Type .= LDAP
> >> >> >        Reply-Message = "Auth by LADP"
> >> >> >
> >> >> > in my users file. Other attributes stored in an object of
> >> >> > objectClass radiusprofile should be added automatically to the
> >> >> > Reply attributes.
> >> >>
> >> >> I don't actually want to add radiusprofile attributes to my LDAP. 
> >> >> The users already have an attribute which identifies their
> >> >> department.  I want to be able to say if "department attribute = X
> >> >> then allocate VLAN Y".  Can this be done without specifically setting
> >> >> the vlan etc as radiusprofile attributes.  Also I am not using ldap
> >> >> for the
> >> >> authentication, just authorization.  The authentication is done using
> >> >> ntlm_auth.
> >> >
> >> > Then you would habe to re-map some LDAP-attribute of your objectClass
> >> > to Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and
> >> > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the
> >> > users file.
> >> >
> >> > Please see the ldap.attrmap in your raddb dir for the mapping of
> >> > attributes.
> >>
> >> Am I correct in saying that the LDAP-attribute that is mapped to
> >> Tunnel-Private-Group-ID would need to be set to the value of the the
> >> VLAN I require?  The  LDAP-attribute that I wish to use curently
> >> contains values like "ITISCP" and "ENISCP".  I want to say if
> >> attribute value  == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID
> >> = 226).  Using ldap.attrmap mappings I would need to store the
> >> required vlan in a LDAP attribute.  (I can't change the LDAP only read
> >> it).
> >
> > Even more complicated. Sorry., I did not read your previous mail
> > completely.
> >
> > Sending the department attribute (i.e. "ITISCP") might work if the switch
> > understand it and can map it to the correct VLAN numbers. As fas as I
> > know, this can be done with Cisco. On other switches you have to see in
> > the user manual if you can attach names to VLANs.
> >
> > Otherwise you would have to add a new ou=profiles with severeal
> > cn=<profile> of the objectClass radiusprofile. This radiusprofile would
> > indicate the correct VLAN number.
> >
> > Then you could use the profile_attribute of the ldap module to point to
> > the correct LDAP attribute of the user object that points to the correct
> > attribute.  But you would have to fill that attribute manually with
> > something like:
> > cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org
> >
> > Perhaps it is better to do that automated by scripting deducted from the
> > department attribute every hour. But when you start scripting that you
> > also could deduct the VLAN number fro mthe department and fill this into
> > a attribute of the user itself and change ldap.attrmap pointing to that
> > attribute.
> >
> > Greetings,
> > --
> > Dr. Michael Schwartzkopff
> > MultiNET Services GmbH
> > Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
> > Tel: +49 - 89 - 45 69 11 0
> > Fax: +49 - 89 - 45 69 11 21
> > mob: +49 - 174 - 343 28 75
> >
> > mail: misch at multinet.de
> > web: www.multinet.de
> >
> > Sitz der Gesellschaft: 85630 Grasbrunn
> > Registergericht: Amtsgericht München HRB 114375
> > Geschäftsführer: Günter Jurgeneit, Hubert Martens
> >
> > ---
> >
> > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
> > Skype: misch42
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> Thanks for your help.  Looks like I need to talk to the ldap admins
> and get them to script populating the radiusprofile attributes.  It's
> a pity, because getting changes made to ldap becomes a big red tape
> exercise within the department.

Not nescessary. See my other mail.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: misch at multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42

More information about the Freeradius-Users mailing list