Dynamic Vlan Allocation based on LDAP Attribute Value

Paul Dealy pdealy at gmail.com
Tue Feb 17 02:15:07 CET 2009


On Tue, Feb 17, 2009 at 11:44 AM,  <tnt at kalik.net> wrote:
>>I'm using version 1.1.3 so, I moved the "files" entry below the ldap
>>entry but my DEFAULT entry in the file: users does not match or return
>>any value.
>>
>
> You should upgrade. Did something else match in files? Post the debug.

Stuck with this version for now.

I have a "catchall" DEFAULT entry with no comparison which set the
vlan.  But it didn't match on the userORGUNIT ldap attribute. value


modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for asmith
radius_xlat:  '(&(objectClass=inetOrgPerson)(cn=asmith))'
radius_xlat:  'o=sut'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=sut, with filter
(&(objectClass=inetOrgPerson)(cn=asmith))
rlm_ldap: checking if remote access for asmith is allowed by userORGUNIT
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userORGUNIT as userORGUNIT, value ISITCP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user asmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
    users: Matched entry DEFAULT at line 25
  modcall[authorize]: module "files" returns ok for request 2
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 35 to xxx.xxx.xxx.xxx port 1645
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "226"
        EAP-Message =
0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
        EAP-Message =
0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
        EAP-Message =
0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb4d641b20399b8f92c0d9fb148763ead
Finished request 2
Going to the next request


The users file looks like:


DEFAULT userORGUNIT == "ISITCP"
        tunnel-type = VLAN,
        tunnel-medium-type = IEEE-802,
        tunnel-private-group-ID = 5,
        Fall-Through = No

DEFAULT
        tunnel-type = VLAN,
        tunnel-medium-type = IEEE-802,
        tunnel-private-group-ID = 226,
        Fall-Through = No


>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list