<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Thank for the quick reply.<BR> <BR>So, I was successfully able to setup AD with ldap with the following config, my only issue is I still cannot assign the different vlan based on the group they are on. <BR>I need the following to be setup:<BR>1. WIFI Student --> VLAN 93<BR>2. Ethernet Student --> VLAN 3<BR>3.  WIFI Staff --> VLAN 94<BR>4. Ethernet  Staff --> VLAN 4<BR> <BR>I was able to do it in the inner file with the following, but this is OU container not with the group and also can you filter WIFI vs LAN connect in here? :<BR>if (control:Ldap-UserDn =~ /OU=Staff/) {<br>                       update reply {<br>                               Tunnel-Type:1 := 13<br>                               Tunnel-Medium-Type:1 := 6<br>                               Tunnel-Private-Group-Id:1 := 3<br>                       }<br>                }<br>if (control:Ldap-UserDn =~ /OU=Student/) {<br>                       update reply {<br>                               Tunnel-Type:1 := 13<br>                               Tunnel-Medium-Type:1 := 6<br>                               Tunnel-Private-Group-Id:1 := 4<br>                       }<br>               }<br><BR> <BR>I notice you can define this in the users file, but I'm not sure if I got the syntax right. <BR> <BR>Should it be -- >Ldap-Group == "CN=Student", which doesn't work either or am I doing something wrong here? How do I lookup the group they are in using ldap-group? or do I use Ldap-UserDn ?<BR> <BR>Thanks<BR> <BR> <BR>Here is my users file config:<BR>DEFAULT Ldap-Group == "OU=Student", NAS-Port-Type ==19<br>        Tunnel-Type := 13,<br>        Tunnel-Medium-Type := 6,<br>        Tunnel-Private-Group-ID := 93,<br>        Fall-Through := No<BR>DEFAULT Ldap-Group == "OU=Student"<BR>        Tunnel-Type := 13,<br>        Tunnel-Medium-Type := 6,<br>        Tunnel-Private-Group-ID := 4,<br>        Fall-Through := No<BR>DEFAULT Ldap-Group == "OU=Staff", NAS-Port-Type ==19<br>        Tunnel-Type := 13,<br>        Tunnel-Medium-Type := 6,<br>        Tunnel-Private-Group-ID := 94,<br>        Fall-Through := No<BR>DEFAULT Ldap-Group == "OU=Staff"<br>        Tunnel-Type := 13,<br>        Tunnel-Medium-Type := 6,<br>        Tunnel-Private-Group-ID := 4,<br>        Fall-Through := No<BR><br> <BR> <BR> <BR>Here is my Ldap config, if anyone decides to try ldap to AD:<BR><br> ldap {<br>        server = "xxx.xxx.xxx"<br>        identity = "cn=xxxxx,cn=Users,dc=lcs,dc=on,dc=ca"<br>        password = "xxxxxxx" <br>        basedn = "dc=xxx,dc=xxx,dc=xxx"<br>        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" <br>        groupmembership_attribute = memberOf<BR>        ldap_connections_number = 5<BR>        timeout = 40<BR>        timelimit = 30<BR>        net_timeout = 10<BR>        tls {<br>                start_tls = no<BR><br>        }<BR><br>        dictionary_mapping = ${confdir}/ldap.attrmap<BR><br>        edir_account_policy_check = no<BR>         groupname_attribute = cn<br>         groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"<br>         groupmembership_attribute = memberOf<BR><br>        chase_referrals = yes<br>        rebind = yes<BR><br>        ldap_debug = 0x0028 <BR>        keepalive {<br>                idle = 60<BR>                probes = 3<BR>                interval = 3<br>        }<br>}<BR> <BR> <BR><div><hr id="stopSpelling">Date: Mon, 8 Sep 2014 09:39:02 +0100<br>Subject: Re: Freeradius-Users Digest, Vol 113, Issue 26<br>From: ruyrybeyro@gmail.com<br>To: freeradius-users@lists.freeradius.org<br><br><div dir="ltr"><br><div class="ecxgmail_extra">Hi Felix,</div><div class="ecxgmail_extra"><br></div><div class="ecxgmail_extra">The best approach is to use the LDAP groups to select your VLAN. As you are starting, I would also advise to upgrade to 2.2.5 or better yet, version 3.</div><div class="ecxgmail_extra">It would be better too, if you create a group for Wifi access instead of using the administrator group.</div><div class="ecxgmail_extra"><br></div><div class="ecxgmail_extra">You can select write the logic for the VLAN in the users file, or with unlang, if you search the arquive list you will find plenty of examples.</div><div class="ecxgmail_extra"><br></div><div class="ecxgmail_extra">Taken from the end of my post-auth, inner-tunnel. I still advise you to peruse the arquive, to understand it better.</div><div class="ecxgmail_extra"><br></div><div class="ecxgmail_extra"><div class="ecxgmail_extra"><span style="white-space: pre;">       </span>if ( Ldap-Group == "staff" ) {</div><div class="ecxgmail_extra"><span style="white-space: pre;">           </span>if (!(Operator-Name)) {</div><div class="ecxgmail_extra">                       update reply {</div><div class="ecxgmail_extra">               <span style="white-space: pre;">                    </span>User-Name  := "%{request:User-Name}"</div><div class="ecxgmail_extra">                <span style="white-space: pre;">                </span>Service-Type := "Framed-User"</div><div class="ecxgmail_extra">                <span style="white-space: pre;">            </span>Framed-MTU := 1300</div><div class="ecxgmail_extra">                <span style="white-space: pre;">         </span>Tunnel-Type := VLAN</div><div class="ecxgmail_extra">                <span style="white-space: pre;">                </span>Tunnel-Medium-Type := IEEE-802</div><div class="ecxgmail_extra">                               <span style="white-space: pre;">      </span>Tunnel-Private-Group-Id := "7"   </div><div class="ecxgmail_extra">                               <span style="white-space: pre;">       </span>Reply-Message := "staff VLAN"</div><div class="ecxgmail_extra">                       }</div><div class="ecxgmail_extra"><span style="white-space: pre;">                </span>}</div><div class="ecxgmail_extra"><span style="white-space: pre;">  </span>}</div><div class="ecxgmail_extra"><span style="white-space: pre;">  </span>elsif ( Ldap-Group == "student" ) {</div><div class="ecxgmail_extra"><span style="white-space: pre;">              </span>if (!(Operator-Name)) {</div><div class="ecxgmail_extra">                       update reply {</div><div class="ecxgmail_extra">               <span style="white-space: pre;">                    </span>User-Name  := "%{request:User-Name}"</div><div class="ecxgmail_extra">                <span style="white-space: pre;">                </span>Service-Type := "Framed-User"</div><div class="ecxgmail_extra">                <span style="white-space: pre;">            </span>Framed-MTU := 1300</div><div class="ecxgmail_extra">                <span style="white-space: pre;">         </span>Tunnel-Type := VLAN</div><div class="ecxgmail_extra">                <span style="white-space: pre;">                </span>Tunnel-Medium-Type := IEEE-802</div><div class="ecxgmail_extra">                            <span style="white-space: pre;">   </span>Tunnel-Private-Group-Id := "9"</div><div class="ecxgmail_extra">                               <span style="white-space: pre;">    </span>Reply-Message := "student VLAN"</div><div class="ecxgmail_extra">                       }</div><div class="ecxgmail_extra"><span style="white-space: pre;">              </span>}</div><div class="ecxgmail_extra"><span style="white-space: pre;">  </span>}</div><div class="ecxgmail_extra"><span style="white-space: pre;">  </span>else {</div><div class="ecxgmail_extra"><span style="white-space: pre;">             </span>reject</div><div class="ecxgmail_extra"><span style="white-space: pre;">     </span>}</div></div><div class="ecxgmail_extra"><br></div><div class="ecxgmail_extra">Regards,</div><div class="ecxgmail_extra">Rui Ribeiro</div><div class="ecxgmail_extra">Senior Sysadm</div><div class="ecxgmail_extra">ISCTE-IUL</div><div class="ecxgmail_extra"><a href="https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434" target="_blank">https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434</a><br></div><div class="ecxgmail_extra"><br><div class="ecxgmail_quote"><blockquote class="ecxgmail_quote" style="padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;"><br>
<br>
Message: 2<br>
Date: Mon, 8 Sep 2014 04:14:31 -0400<br>
From: Lord Felix <<a href="mailto:felix107@msn.com">felix107@msn.com</a>><br>
To: "<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>"<br>
        <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: How-To for setting up ldap for Active Directory<br>
Message-ID: <BAY172-W14882D57281A381E1D91438DC10@phx.gbl><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hi Everyone,<br>
<br>
I'm new to freeRadius and I've been reading some of the mailing list e-mails.<br>
<br>
I've got freeRadius with Cento 6 which is version 2.1.12 installed.<br>
<br>
So I've followed the instructions for getting freeRadius working ntlm_auth with Windows 2012 Active Directory, based on the link below:<br>
<a href="http://deployingradius.com/documents/configuration/active_directory.html" target="_blank">http://deployingradius.com/documents/configuration/active_directory.html</a><br>
<br>
Everything works great!<br>
<br>
The only issue is now I need Dynamic Vlan working and I also need to look up mac address via from a mssql database to validate the user to allow access to the network.<br>
<br>
After reading more about ntlm_auth, it will only respond to true or false and this method  doesn't really help with want I want to accomplish.<br>
<br>
What I need to do is based on what group the user belongs to, they are assigned to that specific vlan. i.e. if you are a staff you go to VLAN 7 and if you are a student you go to vlan 9.<br>
<br>
Is there any How-To guide for setting up ldap for Active Directory just like the link above?<br>
<br>
I've tried to setup the ldap module and I'm running into issues.<br>
<br>
This is how my ldap config looks like:<br>
<br>
ldap {<br>
        server = "xxx.xxx.xxx"<br>
        basedn = "dc=xxx,dc=xxx,dc=xxx"<br>
        filter = (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))<br>
        groupmembership_attribute = "Administrators"<br>
        ldap_connections_number = 5<br>
        timeout = 40<br>
        timelimit = 30<br>
        net_timeout = 10<br>
        tls {<br>
                start_tls = no<br>
        }<br>
       dictionary_mapping = ${confdir}/ldap.attrmap<br>
        edir_account_policy_check = no<br>
         groupname_attribute = cn<br>
         groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"<br>
         groupmembership_attribute = memberOf<br>
        chase_referrals = yes<br>
        rebind = yes<br>
        ldap_debug = 0x0028<br>
        keepalive {<br>
                idle = 60<br>
                probes = 3<br>
                interval = 3<br>
        }<br>
}<br>
<br>
<br>
Here is my debug info, and I know it's not working, because I don't even see it trying to contact the radius server, which is why I'm asking if there is quick HowTo:<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 33583, id=125, length=74<br>
        User-Name = "xxxxxxx"<br>
        User-Password = "xxxxxxx"<br>
        NAS-IP-Address = xx.xx.xxxx<br>
        NAS-Port = 0<br>
        Message-Authenticator = 0x1c451a3ee1cd4caabec9e764c4006d2b<br>
# Executing section authorize from file /etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "xxxxxx", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
++[files] returns noop<br>
[sql]   expand: %{User-Name} -> xxxx<br>
[sql] sql_set_user escaped user --> 'xxxxxx'<br>
rlm_sql (sql): Reserving sql socket id: 3<br>
[sql]   expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'username' ORDER BY id<br>
[sql]   expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'xxxxxx' ORDER BY priority<br>
rlm_sql (sql): Released sql socket id: 3<br>
[sql] User username not found<br>
++[sql] returns notfound<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.<br>
++[pap] returns noop<br>
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject]     expand: %{User-Name} -> xxxxx<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 1 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 1<br>
Sending Access-Reject of id 125 to 127.0.0.1 port 33583<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 1 ID 125 with timestamp +2007<br>
Ready to process requests.<br>
<br>
<br>
Someone also posted that they can get ntlm_auth working with groups and you need to chat the stuff around? It would be great if someone can provide a how on this to work with dynamic vlan.<br>
<br>
Any help would be greatly appreciated.<br>
<br>
Thanks<br>
<br>
-----</blockquote></div></div></div>
<br>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html</div>                                        </div></body>
</html>