Retrieving eDirectory VLAN attributes

Alan DeKok aland at deployingradius.com
Fri May 24 16:17:33 CEST 2013 

Dan Lietz wrote:
> I’m pretty much a noob when it comes to freeradius as I still don’t
> completely understand what files are used for authorization and
> authentication and where to put different certain pieces of configuration.

  Rule 1: don't touch anything.  The configuration is complicated, but
it mostly works.

  The "files used for authorization" are the virtual servers.  See
raddb/sites-enabled.  Those files reference other configuration.  But
it's all reasonably well abstracted.

  i.e. you don't need to know anything about the "mschap" module
configuration to use it.  You don't even need to know *where* its
configuration lives.  But if you run the server in debugging mode, it
will tell you.

  The "where to put configuration" issue largely depends on what you
want to do.  Edit a virtual server?  See raddb/sites-enabled.  A module?
 raddb/modules.

> I’m trying to set up dynamic vlans for a wireless network with a Ruckus
> Zone Director backend and a freeradius backend authenticating via LDAP
> to eDirectory running on the same box. So far I’ve managed to configure
> 802.11x authentication using PEAP and that is working well.

  That's good.

> Now I want to be able to retrieve the radius attribute in eDirectory for
> the vlan tag so the Ruckus Zone Directory will automatically place the
> user on the correct vlan once they are authenticated.

  OK.

> I did some initial testing without using LDAP by adding the following
> lines to my users file:
> 
>  
> 
> DEFAULT 
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 802,
> Tunnel-Private-Group-ID = 85,
> Fall-Through=Yes

  Yes, that works.  It's a good first step.

> By changing the value of “Tunnel-Private-Group-ID” (set to 85 in the
> above example) the Zone Director will move users to the vlan ID I
> specify here, but it is obviously static and does not change based on
> the user. The next step is to configure FreeRadius to pull the info from
> eDir via LDAP and that’s the part I’m not getting.

  The "ldap.attrmap" file is in the "raddb" directory.  It contains
mappings from LDAP to RADIUS.  It's also documented in the comments at
the top of the file.

> Part of my problem is that I don’t know which attributes mappings are
> built in and which aren’t.

  See ldap.attrmap.

> According to this document: Integrating
> Novell eDirectory with FreeRadius
> <https://www.netiq.com/documentation/edir_radius/radiusadmin/?page=/documentation/edir_radius/radiusadmin/data/bv8m2ll.html>
> the listed radius attributes are available for use, but does that mean I
> don’t need to add them to ldap.attr or the dictionary file at all? Or
> that I don’t need to add an LDAP attribute map to the LDAP Group object
> in iManager?

  The LDAP to RADIUS map is defined in ldap.attrmap.  And ONLY in
ldap.attrmap.  Go look there.  If a mapping isn't there, it isn't
mapped.  If it is there, the LDAP attribute (if any) is mapped to the
RADIUS equivalent.

> The other thing I don’t understand is where (i.e. what file) to put the
> ldap call for said attributes and what the syntax would look like.

  See raddb/sites-available/inner-tunnel, and "default".  Look for
"ldap".  Read the comments there.


> I’ve configured my eap.conf to include ‘copy_request_to_tunnel = yes’
> and ‘use_tunneled_reply = yes’

  That's correct for your setup.

  Alan DeKok.

More information about the Freeradius-Users mailing list