Authorizing using LDAP attributes

Clayton Knorr clayton.knorr at nuspire.com
Fri May 6 19:25:02 CEST 2016 

Running radius 2.1.12 and Openldap (openldap just for testing at this point)

Ok, my situation in a nutshell.

Trying to solve a problem. Need to provide EAP authentication for wifi to many devices. The freeradius server will be hitting an LDAP directory which is not in my control. I need to be able to have conditional logic to allow only certain users with certain attributes in the LDAP directory connect to certain RADIUS clients. I don't control the LDAP directory so using groups or OUs is not an option. So for example if the ldap user has an attribute Location that equals "A1234" I only want them to connect to one or a subset of Aps/controllers.

I have gotten to the point where everything works for EAP, just the LDAP attributes mapping to RADIUS attributes is giving me fits.

So I have a test ldap directory in which I have set users up with the attribute businessCategory set to A1000.
I have added an entry to the main dictionary file: ATTRIBUTE       My-Local-String         3000    string
I have added a line to ldap.attrmap: checkItem       My-Local-String                 businessCategory
I have the following in my post-auth section in sites-enabled/default:

        if ( Called-Station-Id == "AC-85-75-46-55-91:Peep" && My-Local-String == "A1000" ) {
               noop
        }

        else {
                reject
        }

Here are some logs from what happens when I try to log in:
...
[ldap] looking for check items in directory...
  [ldap] businessCategory -> My-Local-String == "A1000"
  [ldap] userPassword -> Cleartext-Password == "password"
  [ldap] userPassword -> Password-With-Header == "password"
[ldap] looking for reply items in directory...
[ldap] user uuserton authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] return
.....

# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++? if (Called-Station-Id == "AC-85-75-46-55-91:Peep" && My-Local-String == "A1000" )
? Evaluating (Called-Station-Id == "AC-86-74-46-65-91:Peep" ) -> TRUE
    (Attribute My-Local-String was not found)
? Evaluating (My-Local-String == "A1000" ) -> FALSE
++? if (Called-Station-Id == "AC-86-74-46-65-91:Peep" && My-Local-String == "A1000" ) -> FALSE
++- entering else else {...}
+++[reject] returns reject
++- else else returns reject
Using Post-Auth-Type Reject


The baffling part is where it says "Attribute My-Local-String was not found." Am I completely barking up the wrong tree here? Is ldap.attrmap meant to be used for something completely different?

Thanks....

More information about the Freeradius-Users mailing list