Microsoft AD group check

Alan DeKok aland at deployingradius.com
Sun Jan 12 17:25:57 CET 2020


On Jan 12, 2020, at 10:37 AM, Marek Smoliński <marksmol at o2.pl> wrote:
> 
> I want to implement 802.1x. The computers belonging to Microsoft domey will be authenticated. The switch port will be configured in VLAN according to the computer's group membership. Simple configuration. Works well ;) FreeRadius 3.0.19

  That's good.

> Question: due to AD complexity, is it possible to assign the same VLAN to computers from different groups?

  Yes.

> Currently I'm doing it as follows: in post-auth
> if (Ldap-Group == VLAN16_SIEO1) {
>    update reply {
>        ...
>    }
> }
> I want to allocate the same VLAN to groups such as VLAN16_BSTO1 and VLAN16_ADMCE1 and others starting with VLAN16_.  Is it possible to check the group name so as not to create many "if" conditions? In my case these conditions will be about 800 :)

  I would suggest not using "if / then / else" conditions.

> if I change the „if” condition 
> if (Ldap-Group[*] =~ /.*VLAN16_.*/) {
>    update reply {
>        ...
>    }
> }
> 
> I've got the result:

  Yes, that doesn't work.  The LDAP-Group attribute doesn't really exist.  It's just a simple way to query LDAP groups, without using complex LDAP syntax.

  Plus, you don't really want to return 800 groups from AD, and then pick only one of them.  That's inefficient, and can lead to problems.

> anyone can help me, tell me how to config can solve this problem, thanks.

  You should write an LDAP query to do the group matching.  Test it via the "ldapsearch" tool.  In 3.0.19, the mods-available/ldap file has detailed instructions for running ldapsearch.

  Once you have an LDAP query which matches what you want, add it to FreeRADIUS:

	if ("%{ldap:magic ldap stuff}") {
		update reply {
			...
		}
	}

  FreeRADIUS is really about policies, and LDAP is really about data. Doing 3-4 checks in FR is OK.  Doing 800 checks in FR means you're likely using the DB wrong.  Just write a DB query to match what you want.  Then, use that query in FreeRADIUS.

  Alan DeKok.




More information about the Freeradius-Users mailing list