Jaume Obrador Vaquer <jobrador@lledoner.com> wrote:
Hi, we’ve set up freeradius 3.0 in order to authenticate users through an LDAP server, also users are assigned different VLAN depending on gidNumber ldap attribute. We have 2 enabled sites ‘default’ and ‘inner-tunnel’
You should be performing LDAP in the inner-tunnel server, not the default server, and use the EAP-PEAP copy_request_to_tunnel option to get stuff from the outer layer into the inner server, if you need it. Then use an update outer.session-state {} clause to get stuff back out to the outer (default) server as needed. Alternatively you can do some LDAP post-auth lookup stuff after leaking the inner-tunnel username back into the outer session, but you definitely want to do the actual "authenticate" step in the inner tunnel, whether that be by AD or LDAP. There should be a few examples of these configurations around by now. Also, FWIW, windows clients will postpend your domain name on the value in the "identity privacy" field. So if the username is foo@test.com and they put "anon" in this feild, the outer identity will be "anon@test.com". JFYI. Most other clients let you set a different domain if you want, Windows won't.