Freeradius LDAP VLAN default profile
Dear list, My first time I write on the mailing-list. I hope not boring or not already answered thousand of times. I would like to setup a classical radius with rlm_ldap authentication module. The auth works as expected when I add attribute on the user side OR in profile section with the default value. My question is, how I can handle vlan with group dynamicaly. I seen some response/thread that put each group in post-auth {}. But I would like to have all information / matching from LDAP directly not in config file. Do you have some input / docs to do this ? My current setup: $ radtest yverry password localhost -0 testing123 Sent Access-Request Id 214 from 0.0.0.0:59868 to 127.0.0.1:1812 length 92 User-Name = "yverry" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" Received Access-Accept Id 214 from 127.0.0.1:1812 to 127.0.0.1:59868 length 78 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "10" Cisco-AVPair = "shell:priv-lvl=15" Juniper-Local-User-Name = "superuser" user { base_dn = "ou=people,${..base_dn}" filter = "(uid=%{User-Name})" } group { base_dn = "${..base_dn}" filter = '(objectClass=groupOfNames)' membership_attribute = 'memberOf' } profile { filter = '(objectclass=radiusprofile)' default = ???? (or cn=default-vlan,ou=profiles,ou=radius,dc=verry,dc=org) } I don't know the default I need to fill to do what I want. more output (debug is life) Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 54847 Listening on proxy address :: port 43874 Ready to process requests (0) Received Access-Request Id 214 from 127.0.0.1:59868 to 127.0.0.1:1812 length 92 (0) User-Name = "yverry" (0) User-Password = "password" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) Message-Authenticator = 0x1b83610509ae7a9da5eacfd22a8bd30c (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "yverry", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{User-Name}) (0) ldap: --> (uid=yverry) (0) ldap: Performing search in "ou=people,dc=verry,dc=org" with filter "(uid=yverry)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "cn=yverry,ou=people,dc=verry,dc=org" (0) ldap: Adding cacheable user object memberships (0) ldap: &control:LDAP-Group += "cn=netops-admin-users,ou=groups,dc=verry,dc=org" (0) ldap: Skipping caching group objects as directive 'group.membership_filter' is not set (0) ldap: Performing search in "cn=default-vlan,ou=profiles,ou=radius,dc=verry,dc=org" with filter "(objectclass=radiusprofile)", scope "base" (0) ldap: Waiting for search result... (0) ldap: Processing profile attributes (0) ldap: reply:Tunnel-Type := VLAN (0) ldap: reply:Tunnel-Medium-Type := IEEE-802 (0) ldap: reply:Tunnel-Private-Group-ID := '10' (0) ldap: Processing user attributes (0) ldap: control:Password-With-Header := '{SSHA}yGsohiWfreeradius/rulez8hWebvihsMIHi+Y' rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = updated (0) if ((ok || updated) && User-Password) { (0) if ((ok || updated) && User-Password) -> TRUE (0) if ((ok || updated) && User-Password) { (0) update { (0) control:Auth-Type := LDAP (0) } # update = noop (0) } # if ((ok || updated) && User-Password) = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password (0) pap: Removing &control:Password-With-Header (0) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = updated (0) Found Auth-Type = LDAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type LDAP { rlm_ldap (ldap): Reserved connection (1) (0) ldap: Login attempt by "yverry" (0) ldap: Using user DN from request "cn=yverry,ou=people,dc=verry,dc=org" (0) ldap: Waiting for bind result... (0) ldap: Bind successful (0) ldap: Bind as user "cn=yverry,ou=people,dc=verry,dc=org" was successful rlm_ldap (ldap): Released connection (1) (0) [ldap] = ok (0) } # Auth-Type LDAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) ldap: EXPAND . (0) ldap: --> . (0) ldap: EXPAND Authenticated at %S (0) ldap: --> Authenticated at 2021-07-03 22:44:58 rlm_ldap (ldap): Reserved connection (2) (0) ldap: Using user DN from request "cn=yverry,ou=people,dc=verry,dc=org" (0) ldap: Modifying object with DN "cn=yverry,ou=people,dc=verry,dc=org" (0) ldap: Waiting for modify result... rlm_ldap (ldap): Released connection (2) (0) [ldap] = ok (0) if (LDAP-Group == "netops-admin-users") { (0) Searching for user in group "netops-admin-users" rlm_ldap (ldap): Reserved connection (3) (0) Using user DN from request "cn=yverry,ou=people,dc=verry,dc=org" (0) Checking user object's memberOf attributes (0) Performing unfiltered search in "cn=yverry,ou=people,dc=verry,dc=org", scope "base" (0) Waiting for search result... (0) Processing memberOf value "cn=netops-admin-users,ou=groups,dc=verry,dc=org" as a DN (0) Resolving group DN "cn=netops-admin-users,ou=groups,dc=verry,dc=org" to group name (0) Performing unfiltered search in "cn=netops-admin-users,ou=groups,dc=verry,dc=org", scope "base" (0) Waiting for search result... (0) Group DN "cn=netops-admin-users,ou=groups,dc=verry,dc=org" resolves to name "netops-admin-users" (0) User found in group "netops-admin-users". Comparison between membership: name (resolved from DN "cn=netops-admin-users,ou=groups,dc=verry,dc=org"), check: name rlm_ldap (ldap): Released connection (3) (0) if (LDAP-Group == "netops-admin-users") -> TRUE (0) if (LDAP-Group == "netops-admin-users") { (0) update reply { (0) Cisco-AVPair = "shell:priv-lvl=15" (0) Juniper-Local-User-Name = "superuser" (0) } # update reply = noop (0) } # if (LDAP-Group == "netops-admin-users") = noop (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Login OK: [yverry/dp9GXbGcUc2JesbaEkahJzQhvDrVUI78] (from client localhost port 0) (0) Sent Access-Accept Id 214 from 127.0.0.1:1812 to 127.0.0.1:59868 length 0 (0) Tunnel-Type := VLAN (0) Tunnel-Medium-Type := IEEE-802 (0) Tunnel-Private-Group-Id := "10" (0) Cisco-AVPair = "shell:priv-lvl=15" (0) Juniper-Local-User-Name = "superuser" (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 214 with timestamp +3 Ready to process requests oh, and ldap part: dn: cn=yverry,ou=people,dc=verry,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: radiusprofile cn: yverry dn: cn=netops,ou=profiles,ou=radius,dc=verry,dc=org objectClass: radiusObjectProfile objectClass: top objectClass: radiusprofile cn: netops radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 5 radiusTunnelType: VLAN dn: cn=netops-admin-users,ou=groups,dc=verry,dc=org objectClass: groupOfNames objectClass: radiusprofile cn: netops-admin-users member: cn=yverry,ou=people,dc=verry,dc=org ou: netops-admin-users radiusProfileDN: cn=netops,ou=profiles,ou=radius,dc=verry,dc=org radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 5 radiusTunnelType: VLAN dn: cn=default-vlan,ou=groups,dc=verry,dc=org objectClass: groupOfNames cn: default-vlan member: cn=moi,ou=people,dc=verry,dc=org ou: netops-admin-users ldapsearch -x -LLL -H ldap:/// -b cn=yverry,ou=people,dc=verry,dc=org memberOf dn: cn=yverry,ou=people,dc=verry,dc=org memberOf: cn=netops-admin-users,ou=groups,dc=verry,dc=org Thank you, Yann
On 03.07.21 23:14, Yann Verry via Freeradius-Users wrote:
Dear list,
My first time I write on the mailing-list. I hope not boring or not already answered thousand of times.
I would like to setup a classical radius with rlm_ldap authentication module. The auth works as expected when I add attribute on the user side OR in profile section with the default value.
LDAP should not be used for authentication but for authorization. FreeRADIUS can do the authentication better than the backend LDAP.
My question is, how I can handle vlan with group dynamicaly. I seen some response/thread that put each group in post-auth {}.
You have to cache the LDAP-Group attribute and use this attribute later in processing to assign the correct VLAN. Perhaps you can get the idea from my blog. It is not exactly about assigning VLAN IDs, but I use the LDAP-Group to assign the CLass attribute. https://blog.sys4.de/strongswan-vpn-based-on-groups-en.html
But I would like to have all information / matching from LDAP directly not in config file.
Yes, you cannot use the ldap config file from RADIUS since this is only responisble for retrieving the info from LDAP server. Assingning the VLAN attribute has to be done later in processing.
Do you have some input / docs to do this ?
My current setup:
Michael Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
participants (2)
-
Michael Schwartzkopff -
Yann Verry