Freeradius-Users Digest, Vol 113, Issue 26

Rui Ribeiro ruyrybeyro at gmail.com
Mon Sep 8 10:39:02 CEST 2014 

Hi Felix,

The best approach is to use the LDAP groups to select your VLAN. As you are
starting, I would also advise to upgrade to 2.2.5 or better yet, version 3.
It would be better too, if you create a group for Wifi access instead of
using the administrator group.

You can select write the logic for the VLAN in the users file, or with
unlang, if you search the arquive list you will find plenty of examples.

Taken from the end of my post-auth, inner-tunnel. I still advise you to
peruse the arquive, to understand it better.

if ( Ldap-Group == "staff" ) {
if (!(Operator-Name)) {
                       update reply {
                User-Name  := "%{request:User-Name}"
                Service-Type := "Framed-User"
                Framed-MTU := 1300
                Tunnel-Type := VLAN
                Tunnel-Medium-Type := IEEE-802
                                Tunnel-Private-Group-Id := "7"
                                Reply-Message := "staff VLAN"
                       }
}
}
elsif ( Ldap-Group == "student" ) {
if (!(Operator-Name)) {
                       update reply {
                User-Name  := "%{request:User-Name}"
                Service-Type := "Framed-User"
                Framed-MTU := 1300
                Tunnel-Type := VLAN
                Tunnel-Medium-Type := IEEE-802
                            Tunnel-Private-Group-Id := "9"
                                Reply-Message := "student VLAN"
                       }
}
}
else {
reject
}

Regards,
Rui Ribeiro
Senior Sysadm
ISCTE-IUL
https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434


>
> Message: 2
> Date: Mon, 8 Sep 2014 04:14:31 -0400
> From: Lord Felix <felix107 at msn.com>
> To: "freeradius-users at lists.freeradius.org"
>         <freeradius-users at lists.freeradius.org>
> Subject: How-To for setting up ldap for Active Directory
> Message-ID: <BAY172-W14882D57281A381E1D91438DC10 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Everyone,
>
> I'm new to freeRadius and I've been reading some of the mailing list
> e-mails.
>
> I've got freeRadius with Cento 6 which is version 2.1.12 installed.
>
> So I've followed the instructions for getting freeRadius working ntlm_auth
> with Windows 2012 Active Directory, based on the link below:
> http://deployingradius.com/documents/configuration/active_directory.html
>
> Everything works great!
>
> The only issue is now I need Dynamic Vlan working and I also need to look
> up mac address via from a mssql database to validate the user to allow
> access to the network.
>
> After reading more about ntlm_auth, it will only respond to true or false
> and this method  doesn't really help with want I want to accomplish.
>
> What I need to do is based on what group the user belongs to, they are
> assigned to that specific vlan. i.e. if you are a staff you go to VLAN 7
> and if you are a student you go to vlan 9.
>
> Is there any How-To guide for setting up ldap for Active Directory just
> like the link above?
>
> I've tried to setup the ldap module and I'm running into issues.
>
> This is how my ldap config looks like:
>
> ldap {
>         server = "xxx.xxx.xxx"
>         basedn = "dc=xxx,dc=xxx,dc=xxx"
>         filter =
> (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
>         groupmembership_attribute = "Administrators"
>         ldap_connections_number = 5
>         timeout = 40
>         timelimit = 30
>         net_timeout = 10
>         tls {
>                 start_tls = no
>         }
>        dictionary_mapping = ${confdir}/ldap.attrmap
>         edir_account_policy_check = no
>          groupname_attribute = cn
>          groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
>          groupmembership_attribute = memberOf
>         chase_referrals = yes
>         rebind = yes
>         ldap_debug = 0x0028
>         keepalive {
>                 idle = 60
>                 probes = 3
>                 interval = 3
>         }
> }
>
>
> Here is my debug info, and I know it's not working, because I don't even
> see it trying to contact the radius server, which is why I'm asking if
> there is quick HowTo:
> rad_recv: Access-Request packet from host 127.0.0.1 port 33583, id=125,
> length=74
>         User-Name = "xxxxxxx"
>         User-Password = "xxxxxxx"
>         NAS-IP-Address = xx.xx.xxxx
>         NAS-Port = 0
>         Message-Authenticator = 0x1c451a3ee1cd4caabec9e764c4006d2b
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "xxxxxx", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> [sql]   expand: %{User-Name} -> xxxx
> [sql] sql_set_user escaped user --> 'xxxxxx'
> rlm_sql (sql): Reserving sql socket id: 3
> [sql]   expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
> Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
> id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'username'
> ORDER BY id
> [sql]   expand: SELECT groupname FROM radusergroup WHERE username =
> '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup
> WHERE username = 'xxxxxx' ORDER BY priority
> rlm_sql (sql): Released sql socket id: 3
> [sql] User username not found
> ++[sql] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> xxxxx
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 1 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 1
> Sending Access-Reject of id 125 to 127.0.0.1 port 33583
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 125 with timestamp +2007
> Ready to process requests.
>
>
> Someone also posted that they can get ntlm_auth working with groups and
> you need to chat the stuff around? It would be great if someone can provide
> a how on this to work with dynamic vlan.
>
> Any help would be greatly appreciated.
>
> Thanks
>
> -----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140908/b3bbf300/attachment.html>

More information about the Freeradius-Users mailing list