VLAN ID based on VSAs
Hi, my first post here, a newbie question, thanks for your help. I'm going to set up two freeradius servers (2.1.7 on RHEL 5.5). ServerB will be connected to an AP and I want it to proxy all EAP requests to serverA (TTLS-PAP will be the only method accepted) which will do authentication using an OpenLDAP backend. My question: I'd like to configure serverA to include in the Access-Accept packet some AVPs which are specific to my Organization, like department_name, employee_role (I believe these are the so called VSAs), and I'd like serverB to perform some if-then-else logic on these VSAs to dinamically calculate the VLAN-ID to return to the AP. Is this possible (in a simple way)? Is it a common set up? Thanks, Stefano
On 05/03/12 09:38, Stefano Zanmarchi wrote:
Hi, my first post here, a newbie question, thanks for your help. I'm going to set up two freeradius servers (2.1.7 on RHEL 5.5). ServerB will be connected to an AP and I want it to proxy all EAP requests to serverA (TTLS-PAP will be the only method accepted) which will do authentication using an OpenLDAP backend.
Ok. That's a weird config, but ok.
My question: I'd like to configure serverA to include in the Access-Accept packet some AVPs which are specific to my Organization, like department_name, employee_role (I believe these are the so called VSAs), and I'd like serverB to perform some if-then-else logic on these VSAs to dinamically calculate the VLAN-ID to return to the AP. Is this possible (in a simple way)? Is it a common set up?
It's not common. It is pretty easy though; on serverB do something like this: post-proxy { ... # Ensure this filter permits "Some-Attr" attr_filter.name } post-auth { if (reply:Some-Attr == ...) { update reply { My-Vlan := 123 } } } See the sample config for more details on the attr_filter module, and "man unlang" for more info on processing.
Thanks a lot Phil for your kind answer. Could you please tell me which is the weird part of the configuration? Do you mean the use of ttls-pap with openldap or the fact that serverB is there only to proxy requests to serverA? On Mon, Mar 5, 2012 at 11:58 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 05/03/12 09:38, Stefano Zanmarchi wrote:
I'm going to set up two freeradius servers (2.1.7 on RHEL 5.5). ServerB will be connected to an AP and I want it to proxy all EAP requests to serverA (TTLS-PAP will be the only method accepted) which will do authentication using an OpenLDAP backend.
Ok. That's a weird config, but ok.
On 05/03/12 12:56, Stefano Zanmarchi wrote:
Thanks a lot Phil for your kind answer. Could you please tell me which is the weird part of the configuration? Do you mean the use of ttls-pap with openldap or the fact that serverB is there only to proxy requests to serverA?
The latter. I'm sure you have your reasons, but since FreeRADIUS is used in both places, I'm not sure why you would proxy it - just do it all on one server. Also: you said you were going to use FreeRADIUS 2.1.7. DON'T. Use 2.1.12, it's got loads of bug fixes.
participants (2)
-
Phil Mayers -
Stefano Zanmarchi