Microsoft AD group check

Olivier Mahieu o_mahieu at hotmail.com
Sun Jan 12 18:38:13 CET 2020


Does this also work with PEAP-MSCHAPv2?
Meaning in /sites-available/default, Auth-Type LDAP is disabled.

Looking for a solution for dynamic VLAN assignment with PEAP/MSCHAPv2.

Thanks

Verzonden vanuit Mail<https://go.microsoft.com/fwlink/?LinkId=550986> voor Windows 10

Van: Alan DeKok<mailto:aland at deployingradius.com>
Verzonden: zondag 12 januari 2020 17:26
Aan: FreeRadius users mailing list<mailto:freeradius-users at lists.freeradius.org>
Onderwerp: Re: Microsoft AD group check

On Jan 12, 2020, at 10:37 AM, Marek Smoliński <marksmol at o2.pl> wrote:
>
> I want to implement 802.1x. The computers belonging to Microsoft domey will be authenticated. The switch port will be configured in VLAN according to the computer's group membership. Simple configuration. Works well ;) FreeRadius 3.0.19

  That's good.

> Question: due to AD complexity, is it possible to assign the same VLAN to computers from different groups?

  Yes.

> Currently I'm doing it as follows: in post-auth
> if (Ldap-Group == VLAN16_SIEO1) {
>    update reply {
>        ...
>    }
> }
> I want to allocate the same VLAN to groups such as VLAN16_BSTO1 and VLAN16_ADMCE1 and others starting with VLAN16_.  Is it possible to check the group name so as not to create many "if" conditions? In my case these conditions will be about 800 :)

  I would suggest not using "if / then / else" conditions.

> if I change the „if” condition
> if (Ldap-Group[*] =~ /.*VLAN16_.*/) {
>    update reply {
>        ...
>    }
> }
>
> I've got the result:

  Yes, that doesn't work.  The LDAP-Group attribute doesn't really exist.  It's just a simple way to query LDAP groups, without using complex LDAP syntax.

  Plus, you don't really want to return 800 groups from AD, and then pick only one of them.  That's inefficient, and can lead to problems.

> anyone can help me, tell me how to config can solve this problem, thanks.

  You should write an LDAP query to do the group matching.  Test it via the "ldapsearch" tool.  In 3.0.19, the mods-available/ldap file has detailed instructions for running ldapsearch.

  Once you have an LDAP query which matches what you want, add it to FreeRADIUS:

        if ("%{ldap:magic ldap stuff}") {
                update reply {
                        ...
                }
        }

  FreeRADIUS is really about policies, and LDAP is really about data. Doing 3-4 checks in FR is OK.  Doing 800 checks in FR means you're likely using the DB wrong.  Just write a DB query to match what you want.  Then, use that query in FreeRADIUS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See https://eur05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7Cdf383f1d4f0348ce4d7a08d7977c2746%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637144431790788199&sdata=H7TV%2Bz4NbwleTig7G3d2sLjTn%2BPQrf0J2H%2Bpx4n6Fmw%3D&reserved=0



More information about the Freeradius-Users mailing list