I've successfully gotten AD auth working, and now I'd like to be able to assign VLAN's based on group membership, but I'm having a hard time figuring out where and how to do that. Where do I put the "if" statements to check group membership? Does AD auth even work like this, or do I need to be using LDAP auth? Thank you, -Scott
I found this thread which seems to do what I am asking, but I just don't know where to put this statement. http://lists.freeradius.org/pipermail/freeradius-users/2012-January/058458. html Any insight would be appreciated. -Scott
I found this thread which seems to do what I am asking, but I just don't know where to put this statement. http://lists.freeradius.org/pipermail/freeradius-users/2012-January/058458 . html Any insight would be appreciated.
Okay, I figured out where to put the "if" statement (in sites-enabled/default, for anyone stumped like I was), but it doesn't work. I'm assuming this is because I'm using Samba instead of LDAP. Is there another way to get conditional replies based on group membership while still using EAP?
If anyone cares, I got this working by calling a script that contained the following: #!/bin/sh for T in $(wbinfo --user-domgroups `wbinfo -n $1`) ; do wbinfo -s $T | perl -ne 'chomp and print'; done Which outputs a string containing all the groups the username is a member of. I called the script from sites-available/default under post-auth like so: if (`/bin/sh /etc/freeradius/get_group.sh %{User-Name}` =~ /String.To.Match/) { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 456 } } This was frustrating to figure out, but a good learning experience. --Scott
On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner <sgardne@uark.edu> wrote:
If anyone cares, I got this working by calling a script that contained the following:
That's odd. Did you properly setup the AD as LDAP server in raddb/modules/ldap (or whatever file name you use)?
if (`/bin/sh /etc/freeradius/get_group.sh %{User-Name}` =~
I didn't know you can do that :D -- Fajar
On 3/6/12 3:55 PM, "Fajar A. Nugraha" <list@fajar.net> wrote:
On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner <sgardne@uark.edu> wrote:
If anyone cares, I got this working by calling a script that contained the following:
That's odd. Did you properly setup the AD as LDAP server in raddb/modules/ldap (or whatever file name you use)?
No, I didn't set it up as an LDAP server since you apparently can't use LDAP and EAP at the same time. (Unless I'm reading the documentation wrong.) -Scott
On Wed, Mar 7, 2012 at 4:57 AM, Scott McLane Gardner <sgardne@uark.edu> wrote:
On 3/6/12 3:55 PM, "Fajar A. Nugraha" <list@fajar.net> wrote:
On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner <sgardne@uark.edu> wrote:
If anyone cares, I got this working by calling a script that contained the following:
That's odd. Did you properly setup the AD as LDAP server in raddb/modules/ldap (or whatever file name you use)?
No, I didn't set it up as an LDAP server since you apparently can't use LDAP and EAP at the same time. (Unless I'm reading the documentation wrong.)
Yes, you can :) You CAN'T use some EAP types (e.g. EAP-PEAP-MSCHAPv2) when authenticating using LDAP bind (i.e. set Auth-Type to LDAP). You CAN use LDAP as a plain database no matter what authentication method you use (in this case you're simply using it for group check, not for authentication). -- Fajar
On 3/6/12 3:59 PM, "Fajar A. Nugraha" <list@fajar.net> wrote:
On Wed, Mar 7, 2012 at 4:57 AM, Scott McLane Gardner <sgardne@uark.edu> wrote:
On 3/6/12 3:55 PM, "Fajar A. Nugraha" <list@fajar.net> wrote:
On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner <sgardne@uark.edu> wrote:
If anyone cares, I got this working by calling a script that contained the following:
That's odd. Did you properly setup the AD as LDAP server in raddb/modules/ldap (or whatever file name you use)?
No, I didn't set it up as an LDAP server since you apparently can't use LDAP and EAP at the same time. (Unless I'm reading the documentation wrong.)
Yes, you can :)
You CAN'T use some EAP types (e.g. EAP-PEAP-MSCHAPv2) when authenticating using LDAP bind (i.e. set Auth-Type to LDAP).
You CAN use LDAP as a plain database no matter what authentication method you use (in this case you're simply using it for group check, not for authentication).
-- Fajar
Can you expand on how this is done? I am a freeradius newbie and don't really understand how all the pieces fit together.
Hi, On Tue, Mar 06, 2012 at 10:01:30PM +0000, Scott McLane Gardner wrote:
You CAN use LDAP as a plain database no matter what authentication method you use (in this case you're simply using it for group check, not for authentication).
Can you expand on how this is done? I am a freeradius newbie and don't really understand how all the pieces fit together.
Configure the ldap module (raddb/modules/ldap) appropriately, then you can use unlang to check for a group, such as authorize { ... ldap if (Ldap-Group == "An-Ldap-Group") { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 456 } } ... } For an example (with some ldap config), see the eap-tls example I wrote recently (don't do it in that file - just look at the ldap example). https://github.com/alandekok/freeradius-server/blob/master/raddb/sites-avail... The example ldap settings there are for AD, although for certificates rather than users. e.g. you probably want the filter to be (sAMAccountName=%{User-Name}) instead, for a start. Calling out to shell scripts may be slower, which can cause you problems. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Okay, I am a couple steps closer, but still having trouble. My radius server is saying my test user is not in the group I'm filtering for, however I know that it is. My sites-available/default config looks like: authorize ... ldap if (Ldap-Group == "PWHC Secure Wireless") { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 456 } } ... And my modules/ldap config looks like: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "adserver.example.com" identity = "cn=admin,ou=users,dc=example,dc=com" password = adminpass basedn = "ou=users,dc=example,dc=com" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" ... And I'm receiving the following log messages: [ldap] performing user authorization for username [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> username [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=username) [ldap] expand: ou=users,dc=example,dc=com -> ou=users,dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to adserver.uark.edu:389, authentication 0 [ldap] bind as cn=netoc,ou=users,dc=example,dc=com/password to adserver.uark.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=users,dc=example,dc=com, with filter (sAMAccountName=username) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user username authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (Ldap-Group == "PWHC Secure Wireless") [ldap] Entering ldap_groupcmp() expand: ou=usersusers,dc=example,dc=com -> ou=users,dc=example,dc=com expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)( uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=users,dc=example,dc=com, with filter (&(memberOf=PWHC Secure Wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniq ueNames)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group PWHC Secure Wireless not found or user is not a member. ? Evaluating (Ldap-Group == "PWHC Secure Wireless") -> FALSE ++? if (Ldap-Group == "PWHC Secure Wireless") -> FALSE It looks to me like it's binding and searching and deciding that I'm not a member of that group, however I know that I am because if I do a command-line ldapsearch it shows that I'm a member of that group. # ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: cn=username # requesting: memberOf # # username, Users, example.com dn: CN=username,OU=users,dc=example,dc=com memberOf: CN=PWHC Secure Wireless,OU=PWHC,dc=example,dc=com memberOf: CN=UA: SecondaryAccount,OU=ManagedGroups,OU=Special Accounts,dc=example ,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Can anyone tell me what I'm doing wrong? Thanks, Scott
Hi, On Mon, Mar 12, 2012 at 09:07:23PM +0000, Scott McLane Gardner wrote:
++? if (Ldap-Group == "PWHC Secure Wireless") [ldap] Entering ldap_groupcmp() expand: ou=usersusers,dc=example,dc=com -> ou=users,dc=example,dc=com expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)( uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=users,dc=example,dc=com, with filter (&(memberOf=PWHC Secure Wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniq ueNames)(uniquemember=)))) [ldap] object not found
This is what freeradius is searching ^^^
It looks to me like it's binding and searching and deciding that I'm not a member of that group, however I know that I am because if I do a command-line ldapsearch it shows that I'm a member of that group.
You're not searching the same thing:
# ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf
Can anyone tell me what I'm doing wrong?
Try looking at the groupmembership_filter option - work out a search that works on the command line (with a filter), and then fit that filter into the ldap config. It should probably something like (untested) groupname_attribute = cn groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute = memberOf Run in debug, look at what it's actually searching, match to the config file, tweak, rinse & repeat. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Try looking at the groupmembership_filter option - work out a search that works on the command line (with a filter), and then fit that filter into the ldap config.
It should probably something like (untested)
groupname_attribute = cn groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute = memberOf
Run in debug, look at what it's actually searching, match to the config file, tweak, rinse & repeat.
Matthew
Thank you! This was the pointer I needed to get this working. I'm sure I'll have lots more questions about other aspects soon. -Scott
Can you expand on how this is done? I am a freeradius newbie and don't really understand how all the pieces fit together.
First is authentication - configure with Samba, ntlmauth RE: http://wiki.freeradius.org/FreeRADIUS-Active-Directory-Integration-HOWTO Next authorization - configured as Matthew suggested in previous post. Probably need to get the memberOf attribute of the userid match will be FQDN of group, i.e.: CN=Group,OU=someou,dc=something,dc=else,dc=again - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Scott McLane Gardner wrote:
I've successfully gotten AD auth working, and now I'd like to be able to assign VLAN's based on group membership, but I'm having a hard time figuring out where and how to do that. Where do I put the "if" statements to check group membership? Does AD auth even work like this, or do I need to be using LDAP auth?
You can configure AD as an LDAP server, and then do LDAP group checks. See the LDAP documentation for examples. Alan DeKok.
You can configure AD as an LDAP server, and then do LDAP group checks. See the LDAP documentation for examples.
Alan DeKok.
I think the documentation is saying that LDAP can't be used with EAP. Is that what it's really saying? It's a little unclear since it says "The solution is to use the default configuration, which does work." # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough.
participants (5)
-
Alan DeKok -
Danner, Mearl -
Fajar A. Nugraha -
Matthew Newton -
Scott McLane Gardner