Setting vlan tag based on authentication/authorization source
I have a freeradius setup (currently 1.1.1) for a VPN NAS box using 128-bit MPPE MSCHAPv2 authentication against a Samba password file and have recently added an EAP/PEAP setup for switches and access points to provide 802.1x access control. This all works, and I now need to check multiple Samba password files and depending on which one contains the users credentials return a VLAN tag to the switch. In users I think I need: DEFAULT something == "staff" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 1000 DEFAULT something == "student" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 1001 where 'something' gets set depending on which password file the username exists in. Note that usernames are mutually exclusive - they will only exist in one of the samba password files. I created multiple instances of passwd modules: passwd smbpasswd_staff { filename = /path/to/smbpasswd_staff format = "*User-Name::LM-Password:NT-Password:SMB- Account-CTRL-TEXT::" authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } passwd smbpasswd_student { filename = /path/to/smbpasswd_student format = "*User-Name::LM-Password:NT-Password:SMB- Account-CTRL-TEXT::" authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } and tried using realms and Autz-Type in the authorize section and changing User-Name to Stripped-User-Name, but this doesn't work with EAP. I would also prefer not to have the users specify some prefix or suffix to select which samba password file is check if possible. I've had a look through the list archives and can't find any hints so can anyone suggest what I could try next ? Tom -- Tom Whitehouse Department of Computer Science, University of York Heslington, York YO10 5DD, United Kingdom email: tomw@cs.york.ac.uk | Fax: +44 1904 432767 http://www.cs.york.ac.uk | Voice: +44 1904 434725
"Tom Whitehouse" <tomw@cs.york.ac.uk> wrote:
This all works, and I now need to check multiple Samba password files and depending on which one contains the users credentials return a VLAN tag to the switch. ... and tried using realms and Autz-Type in the authorize section and changing User-Name to Stripped-User-Name, but this doesn't work with EAP.
There should really be a page in the docs somewhere saying realms are mainly for proxying... In your case, my suggestion is the following: - add 2 new "string" attributes to the dictionary, Something-Group && Something-User - use regular expressions in the "hints" file to match the incoming User-Name, and create Something-Group and Something-User. e.g. DEFAULT User-Name =~ "(.*)x(.*)" Something-Group = `%{1}`, Something-User = `%{2}` Keep the rlm_passwd config, but change the key from User-Name to Something-User. Oh, and delete the "authtype = MS-CHAP" config. It probably should be removed from the server entirely. - in the "users" file, key off of Something-Group... This all presumes that the users log in with realms, so *they* tell the server which group they belong in. Alan DeKok.
participants (2)
-
Alan DeKok -
Tom Whitehouse