Pietro Accerboni wrote:
Hi, here is my problem: 0) Cisco APs - Radius - Ldap authentication via 802.1x - PEAP - MSCHAPv2 works.
That's a good start.
1) I need to link the group of the user that try to authenticate with the SSID, so i can allow only a particular group of users to use a particular SSID/VLAN.
i.e. IF the user is in SSID, AND he is NOT in a particular group, THEN reject the request.
7) I really connot figure out a correct configuration of: * ldap module in radius.conf
If PEAP works, your LDAP configuration is mostly OK.
* selection in users
See below.
* mapping of group attribute in ldap.attrmap
Don't.
(radius.conf, module ldap) ... compare_check_items = yes (if i do not set this, all users with valid credentials can log in!)
Set this to "No". The current configuration is preventing the *proper* users from logging in:
If you see in the bottom of the log, 'rlm_ldap::ldap_groupcmp: User found in group 801' but also 'rlm_ldap: Pairs do not match. Rejecting user'
See? Don't set it. It's not needed.
(users) DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group==800 Fall-Through = no
This says "match SSID AND ldap group" ... and do nothing else. Compare that to what you wrote in (1) above. What you want is: DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group!=800, Auth-Type := Reject (all on one line). See "man users" for a description of the operators. Alan DeKok.