multuple ldap freeradius ssid
Hi, I have a question. I already read how to make this, but I'm not sur if it works ! So, what do I want ? I have 2 SSID : students and an other staff. I want to have to ldap instance for authenticating my users. In the /module/ldap, I have set ldap students { some stuff } and ldap staff { some stuff}. But now, what i need to do ? My access point is Aruba. I can use this value "Aruba-Essid-Name" for choosing which instance i need to use. In the /site-avaible/inner-tunel, what i need to do ? Something like that ? if (Aruba-Essid-Name=="students") { students } elsif {staff} Thanks for your reply, and sorry for my english, I'm French ;) -- View this message in context: http://freeradius.1045715.n5.nabble.com/multuple-ldap-freeradius-ssid-tp4399... Sent from the FreeRadius - User mailing list archive at Nabble.com.
seb2020 <girard.seb@gmail.com> wrote:
I have a question. I already read how to make this, but I'm not sur if it works !
So, what do I want ? I have 2 SSID : students and an other staff. I want to have to ldap instance for authenticating my users.
You really do *not* want to do this. Have both the staff and students connect to the same SSID (for example 'eduroam') and use your RADIUS server to use an LDAP group check (or username style) to find out how to treat them. For example, place them into a different VLAN.
In the /module/ldap, I have set ldap students { some stuff } and ldap staff { some stuff}. But now, what i need to do ?
My access point is Aruba. I can use this value "Aruba-Essid-Name" for choosing which instance i need to use. In the /site-avaible/inner-tunel, what i need to do ?
Something like that ?
FreeRADIUS is (was?) a bit picky about how the if/else layout is, so you need: ---- if (Aruba-Essid-Name == "students") { ...students... } elsif { ...staff... } ---- I *strongly* recommend you go with the single SSID and use RADIUS in the background; getting everyone at a latter date to move to a different SSID is a real pain.
Thanks for your reply, and sorry for my english, I'm French ;)
We forgive you... ;) Cheers -- Alexander Clouter .sigmonster says: A modem is a baudy house.
Thanks for your reply ! I will do what you say me ! I will make one SSID and chech with the group my user with the OU of the user. My user is by example : user.group.locality.tree How I can retreive the group of my user ? And this verification, I need to make in this file /site-avaible/inner-tunel ? -----
From Switzerland -- View this message in context: http://freeradius.1045715.n5.nabble.com/Multiple-ldap-freeradius-ssid-tp4399... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Thanks for your reply ! I will do what you say me ! I will make one SSID and check with the group my user with the OU of the user. My user is by example : user.group.locality.tree How I can retreive the numbers of letters in my loginname ? And this verification, I need to make in this file /site-avaible/inner-tunel ? with something like that ? But how i can retreive the length of the username with this code ? Use Regex ? modules/ldap: ldap { basedn = "ou=%{Tmp-String-0},o=XXX" ... } sites-available/... authorize { if (username have 3 letters) { update request { Tmp-String-0 = "ou=xx,ou=xx" } } elsif (username have 8 letters) { update request { Tmp-String-0 = "ou=xx,ou=xx" } } } In finally, I want to put my students in the VLAN students, and the staff in the VLAN staff -----
From Switzerland -- View this message in context: http://freeradius.1045715.n5.nabble.com/Multiple-ldap-freeradius-ssid-tp4399... Sent from the FreeRadius - User mailing list archive at Nabble.com.
seb2020 <girard.seb@gmail.com> wrote:
I will do what you say me ! I will make one SSID and check with the group my user with the OU of the user.
My user is by example : user.group.locality.tree
How I can retreive the numbers of letters in my loginname ? And this verification, I need to make in this file /site-avaible/inner-tunel ? with something like that ? But how i can retreive the length of the username with this code ? Use Regex ?
modules/ldap:
ldap { basedn = "ou=%{Tmp-String-0},o=XXX" ... }
sites-available/...
authorize { if (username have 3 letters) { update request { Tmp-String-0 = "ou=xx,ou=xx" } } elsif (username have 8 letters) { update request { Tmp-String-0 = "ou=xx,ou=xx" } } }
That's not going to work to great, it's also horrible :) If you do not have the option to use 'Ldap-Group' (you should be able to use LDAP groups, otherwise, why are you using LDAP?) to test group membership, then you will need to use something like what's below.
In finally, I want to put my students in the VLAN students, and the staff in the VLAN staff
The 'RFC' way to do it is add something like the following to your post-auth{} section ('authorize'/'authenticate' will Reject invalid users): ---- # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised" Termination-Action := RADIUS-Request Session-Timeout := 300 Acct-Interim-Interval := 3600 } if (request:User-Name =~ /^.{3}$/) { update reply { Tunnel-Private-Group-Id := "staff" } } elsif (request:User-Name =~ /^.{8}$/) { update reply { Tunnel-Private-Group-Id := "student" } } if (reply:Tunnel-Private-Group-Id != "unauthorised") { update reply { # Cisco only support a max of 65535 Session-Timeout := 64800 } } ---- Aruba might expect something different, so you should check with *them* (remember, this is a FreeRADIUS support mailing list, *not* an Aruba one). Cheers -- Alexander Clouter .sigmonster says: A vivid and creative mind characterizes you.
Hi, I have test your solution like that : # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised" Termination-Action := RADIUS-Request Session-Timeout := 300 Acct-Interim-Interval := 3600 } if (request:User-Name =~ /^.{3,4}$/) { update reply { Tunnel-Private-Group-Id := "staff" } } elsif (request:User-Name =~ /^.{7,8}$/) { update reply { Tunnel-Private-Group-Id := "student" } } if (reply:Tunnel-Private-Group-Id != "unauthorised") { update reply { # Cisco only support a max of 65535 Session-Timeout := 64800 } } But, if I test with this account : "aaaaaaa" (7 letters), I have a reponse like that : Tunnel-Private-Group-Id:0 = "staff". This is not correct And I have place this code in this file /site-enabled/default in the section post-auth. Is that correct ? Thanks -----
From Switzerland -- View this message in context: http://freeradius.1045715.n5.nabble.com/Multiple-ldap-freeradius-ssid-tp4399... Sent from the FreeRadius - User mailing list archive at Nabble.com.
seb2020 <girard.seb@gmail.com> wrote:
I have test your solution like that :
# defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised"
Termination-Action := RADIUS-Request Session-Timeout := 300
Acct-Interim-Interval := 3600 }
if (request:User-Name =~ /^.{3,4}$/) { update reply { Tunnel-Private-Group-Id := "staff" } } elsif (request:User-Name =~ /^.{7,8}$/) { update reply { Tunnel-Private-Group-Id := "student" } }
if (reply:Tunnel-Private-Group-Id != "unauthorised") { update reply { # Cisco only support a max of 65535 Session-Timeout := 64800 } }
But, if I test with this account : "aaaaaaa" (7 letters), I have a reponse like that : Tunnel-Private-Group-Id:0 = "staff". This is not correct
And I have place this code in this file /site-enabled/default in the section post-auth. Is that correct ?
Without the output from 'radiusd -X', I cannot help you. Regards -- Alexander Clouter .sigmonster says: Am I accompanied by a PARENT or GUARDIAN?
participants (2)
-
Alexander Clouter -
seb2020