<div dir="ltr"><br><div class="gmail_extra">Hi Felix,</div><div class="gmail_extra"><br></div><div class="gmail_extra">The best approach is to use the LDAP groups to select your VLAN. As you are starting, I would also advise to upgrade to 2.2.5 or better yet, version 3.</div><div class="gmail_extra">It would be better too, if you create a group for Wifi access instead of using the administrator group.</div><div class="gmail_extra"><br></div><div class="gmail_extra">You can select write the logic for the VLAN in the users file, or with unlang, if you search the arquive list you will find plenty of examples.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Taken from the end of my post-auth, inner-tunnel. I still advise you to peruse the arquive, to understand it better.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra"><span class="" style="white-space:pre"> </span>if ( Ldap-Group == "staff" ) {</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>if (!(Operator-Name)) {</div><div class="gmail_extra"> update reply {</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>User-Name := "%{request:User-Name}"</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Service-Type := "Framed-User"</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Framed-MTU := 1300</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Tunnel-Type := VLAN</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Tunnel-Medium-Type := IEEE-802</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Tunnel-Private-Group-Id := "7" </div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Reply-Message := "staff VLAN"</div><div class="gmail_extra"> }</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>}</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>}</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>elsif ( Ldap-Group == "student" ) {</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>if (!(Operator-Name)) {</div><div class="gmail_extra"> update reply {</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>User-Name := "%{request:User-Name}"</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Service-Type := "Framed-User"</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Framed-MTU := 1300</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Tunnel-Type := VLAN</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Tunnel-Medium-Type := IEEE-802</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Tunnel-Private-Group-Id := "9"</div><div class="gmail_extra"> <span class="" style="white-space:pre"> </span>Reply-Message := "student VLAN"</div><div class="gmail_extra"> }</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>}</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>}</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>else {</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>reject</div><div class="gmail_extra"><span class="" style="white-space:pre"> </span>}</div></div><div class="gmail_extra"><br></div><div class="gmail_extra">Regards,</div><div class="gmail_extra">Rui Ribeiro</div><div class="gmail_extra">Senior Sysadm</div><div class="gmail_extra">ISCTE-IUL</div><div class="gmail_extra"><a href="https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434">https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434</a><br></div><div class="gmail_extra"><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
Message: 2<br>
Date: Mon, 8 Sep 2014 04:14:31 -0400<br>
From: Lord Felix <<a href="mailto:felix107@msn.com">felix107@msn.com</a>><br>
To: "<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>"<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: How-To for setting up ldap for Active Directory<br>
Message-ID: <BAY172-W14882D57281A381E1D91438DC10@phx.gbl><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hi Everyone,<br>
<br>
I'm new to freeRadius and I've been reading some of the mailing list e-mails.<br>
<br>
I've got freeRadius with Cento 6 which is version 2.1.12 installed.<br>
<br>
So I've followed the instructions for getting freeRadius working ntlm_auth with Windows 2012 Active Directory, based on the link below:<br>
<a href="http://deployingradius.com/documents/configuration/active_directory.html" target="_blank">http://deployingradius.com/documents/configuration/active_directory.html</a><br>
<br>
Everything works great!<br>
<br>
The only issue is now I need Dynamic Vlan working and I also need to look up mac address via from a mssql database to validate the user to allow access to the network.<br>
<br>
After reading more about ntlm_auth, it will only respond to true or false and this method doesn't really help with want I want to accomplish.<br>
<br>
What I need to do is based on what group the user belongs to, they are assigned to that specific vlan. i.e. if you are a staff you go to VLAN 7 and if you are a student you go to vlan 9.<br>
<br>
Is there any How-To guide for setting up ldap for Active Directory just like the link above?<br>
<br>
I've tried to setup the ldap module and I'm running into issues.<br>
<br>
This is how my ldap config looks like:<br>
<br>
ldap {<br>
server = "xxx.xxx.xxx"<br>
basedn = "dc=xxx,dc=xxx,dc=xxx"<br>
filter = (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))<br>
groupmembership_attribute = "Administrators"<br>
ldap_connections_number = 5<br>
timeout = 40<br>
timelimit = 30<br>
net_timeout = 10<br>
tls {<br>
start_tls = no<br>
}<br>
dictionary_mapping = ${confdir}/ldap.attrmap<br>
edir_account_policy_check = no<br>
groupname_attribute = cn<br>
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"<br>
groupmembership_attribute = memberOf<br>
chase_referrals = yes<br>
rebind = yes<br>
ldap_debug = 0x0028<br>
keepalive {<br>
idle = 60<br>
probes = 3<br>
interval = 3<br>
}<br>
}<br>
<br>
<br>
Here is my debug info, and I know it's not working, because I don't even see it trying to contact the radius server, which is why I'm asking if there is quick HowTo:<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 33583, id=125, length=74<br>
User-Name = "xxxxxxx"<br>
User-Password = "xxxxxxx"<br>
NAS-IP-Address = xx.xx.xxxx<br>
NAS-Port = 0<br>
Message-Authenticator = 0x1c451a3ee1cd4caabec9e764c4006d2b<br>
# Executing section authorize from file /etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "xxxxxx", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
++[files] returns noop<br>
[sql] expand: %{User-Name} -> xxxx<br>
[sql] sql_set_user escaped user --> 'xxxxxx'<br>
rlm_sql (sql): Reserving sql socket id: 3<br>
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'username' ORDER BY id<br>
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'xxxxxx' ORDER BY priority<br>
rlm_sql (sql): Released sql socket id: 3<br>
[sql] User username not found<br>
++[sql] returns notfound<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> xxxxx<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 1 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 1<br>
Sending Access-Reject of id 125 to 127.0.0.1 port 33583<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 1 ID 125 with timestamp +2007<br>
Ready to process requests.<br>
<br>
<br>
Someone also posted that they can get ntlm_auth working with groups and you need to chat the stuff around? It would be great if someone can provide a how on this to work with dynamic vlan.<br>
<br>
Any help would be greatly appreciated.<br>
<br>
Thanks<br>
<br>
-----</blockquote></div></div></div>