tnt@kalik.net a écrit :
Here is one policy that I wish to make work.
1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis configuration on the switch) --> this client has some of the following LDAP attributes: uid = bobalice radiusTunnelPrivateGroupID = 20 radiusTunnelType = VLAN radiusMediumType = IEEE-802 radiusCallingStationId = 00-21-42-42-87-b1 radiusUserCategory = ADMIN 2- Fisrt I want to checkthe following attributes, and if not correct, reject the user: radiusTunnelType = VLAN radiusMediumType = IEEE-802
Are those two attributes in the access request? If they are, map them as check items in ldap.attrmap.
radiusCallingStationId = 00-21-42-42-87-b1
This is already in ldap.attrmap.
radiusUserCategory = ADMIN
Where is that suposed to come from?
3- Then I want to authenticate and authorise the user if login/password are correct
Fine. Nothing to do.
4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based on this attribute: radiusTunnelPrivateGroupID = 20
Map that as reply item in ldap.attrmap. You will need tunnel and medium type in the reply as well. So add them too.
Ivan Kalik Kalik Informatika ISP
Here is the content of a packet received by radiusd: rad_recv: Access-Request packet from host 10.1.1.2 port 1692, id=171, length=302 Framed-MTU = 1480 NAS-IP-Address = 10.1.1.2 NAS-Identifier = "Test Switch " User-Name = "bobalice" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "20" Called-Station-Id = "00-11-f3-1d-5d-00" Calling-Station-Id = "00-14-b2-7a-87-b4" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xff747043ff76690706eed2dfa8b93b90 EAP-Message = 0x0202005019800981004616030100410100003d030149dce2350a464fb33bb5333ee36c942769f84056fcb49ef5371ee91f0503103800001600040005000a000990640062000300060013001200630100 Message-Authenticator = 0xec90edc178afb509db4131a36bfe42fe Futhermore, to reply to Alan about the radiusUserCategory, it is given with the radius.schema for ldap. Is it a useless attribute then? I'll be checking this afternoon and testing about putting more info in ldap.attrmap to see if the filters work. I let you know. Regards, Matt