Re: Referencing LDAP attributes in post-auth
Full debug please.
Broadly speaking the approach you're trying should work. Most likely there's some subtlety which the partial debug doesn't show.
One obvious question: you have defined "Person-Type" in a dictionary somewhere, haven't you? e.g. in raddb/dictionary:
ATTRIBUTEPerson-Type3099string
Also, the usual "upgrade 2.1.8 is a bit old" note goes here ;o)
I recently saw another question along the same lines as this, so decided to give this another go... Am now running 2.1.10, and yes, Person-Type is defined in dictionary and ldap.attrmap. I've also defined in dictionary the following in hopes of passing on the value of Person-Type to this attribute: ATTRIBUTE Person-Group 3001 string For the (outer) virtual server, in the authorize block I have the following: ... ldap update control { Person-Group = "%{reply:Person-Type}" } ... In post-auth: ... update reply { Reply-Message := "You are %{control:Person-Group}." } ... I still cannot figure out how to pass this value from authorize to post-auth. BTW, this is a multi-valued attribute, so what I'm really trying to do is to call a perl script in post-auth to iterate through all possible values, and set vlan based on whether a particular value exists, thus shouldn't be done within authroize. Debug attached (I hope).. can't seem to post with it on here due to 100KB limit. A.
Adam Track wrote:
I recently saw another question along the same lines as this, so decided to give this another go... Am now running 2.1.10, and yes, Person-Type is defined in dictionary and ldap.attrmap. I've also defined in dictionary the following in hopes of passing on the value of Person-Type to this attribute:
ATTRIBUTE Person-Group 3001 string
For the (outer) virtual server, in the authorize block I have the following: ... ldap update control { Person-Group = "%{reply:Person-Type}" }
That should work.
In post-auth: ... update reply { Reply-Message := "You are %{control:Person-Group}." } ...
And that should work too.
I still cannot figure out how to pass this value from authorize to post-auth.
It works for PAP. The only reason it doesn't work is you're running EAP, and that's more complicated.
BTW, this is a multi-valued attribute, so what I'm really trying to do is to call a perl script in post-auth to iterate through all possible values, and set vlan based on whether a particular value exists, thus shouldn't be done within authroize. Debug attached (I hope).. can't seem to post with it on here due to 100KB limit.
There's no need for a 100KB debug output. Try a *simple* test. Alan DeKok.
I still cannot figure out how to pass this value from authorize to post-auth.
It works for PAP. The only reason it doesn't work is you're running EAP, and that's more complicated.
Is there something extra that needs to be done in order for the value to be preserved when running EAP?
There's no need for a 100KB debug output. Try a *simple* test.
What tool(s) can I use to run a simple EAP test that would still use AD for authentication and LDAP for authorization? Thanks, A.
Hi,
I still cannot figure out how to pass this value from authorize to post-auth.
It works for PAP. The only reason it doesn't work is you're running EAP, and that's more complicated.
Is there something extra that needs to be done in order for the value to be preserved when running EAP?
There's no need for a 100KB debug output. Try a *simple* test.
What tool(s) can I use to run a simple EAP test that would still use AD for authentication and LDAP for authorization?
eapol_test ? alan
> >> I still cannot figure out how to pass this value from authorize to > >> post-auth. > > > > It works for PAP. The only reason it doesn't work is you're running > > EAP, and that's more complicated. > > Is there something extra that needs to be done in order for the value to > be preserved when running EAP? > > > There's no need for a 100KB debug output. Try a *simple* test. > > What tool(s) can I use to run a simple EAP test that would still use AD > for authentication and LDAP for authorization? eapol_test ?
Thanks, I'll give it a try and post the debug. Am I wrong to be surprised that there is no answer for the first question, though? There has to be a great many users out there using EAP and assigning dynamic VLAN based on LDAP attributes.... or, not? A.
Hi,
Thanks, I'll give it a try and post the debug. Am I wrong to be surprised that there is no answer for the first question, though? There has to be a great many users out there using EAP and assigning dynamic VLAN based on LDAP attributes.... or, not?
I know of many - it depends on how you are doing it - are you doing post-auth in the inner-tunnel, or in the outer virtual-server after EAP has been done? just assign a standard RADIUS attribute and it will be there for you to use in eg PERL (so long as you copy-to-tunnel in your EAP config) alan
Thanks, I'll give it a try and post the debug. Am I wrong to be surprised
that there is no answer for the first question, though? There has to be a great many users out there using EAP and assigning dynamic VLAN based on LDAP attributes.... or, not?
I know of many - it depends on how you are doing it - are you doing post-auth in the inner-tunnel, or in the outer virtual-server after EAP has been done? just assign a standard RADIUS attribute and it will be there for you to use in eg PERL (so long as you copy-to-tunnel in your EAP config)
copy_request_to_tunnel = yes As mentioned earlier, I am assigning a standard RADIUS attribute, but the value I'm passing to it is not there when I call it, which is in the post_auth of the outer virtual server.. I figured it made sense to put it there, since I call the LDAP module in the authroize section of the outer virtual server. Should this be done in the inner-tunnel? I guess I'll give that a try too... Thanks, A.
Hi,
copy_request_to_tunnel = yes
As mentioned earlier, I am assigning a standard RADIUS attribute, but the value I'm passing to it is not there when I call it, which is in the post_auth of the outer virtual server.. I figured it made sense to put it there, since I call the LDAP module in the authroize section of the outer virtual server. Should this be done in the inner-tunnel? I guess I'll give that a try too...
why call LDAP in the outerid for EAP- surely call it in the inner-tunnel instead (and put some protection around it so that its only called when needed - right now, if you look, you'll see your LDAP whacked all over the place during requests coming through - at least 3x more queries to the LDAP than you need.) alan
why call LDAP in the outerid for EAP- surely call it in the inner-tunnel instead
(and put some protection around it so that its only called when needed - right now, if you look, you'll see your LDAP whacked all over the place during requests coming through - at least 3x more queries to the LDAP than you need.)
Well, thanks so much Alan, putting all of this into the inner-tunnel authorization block finally allows me to get the value in post-auth block (of the inner-tunnel). The reason why I put this into the outer tunnel was because I'm calling LDAP for authorization only so I didn't think it should mix with the authentication done in the inner tunnel, where EAP comes into play.. guess I was wrong.
participants (3)
-
Adam Track -
Alan Buxey -
Alan DeKok