Freeradius + 2 x LDAP + VLAN
Hello, I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and Ubuntu 12.04 I using it for 802.1x users. I need switch users from ldap1 to VLAN 1 and users from ldap2 to VLAN 2. I don't know how can i do it. My configuration: /etc/freeradius/modules/ldap: ldap ldap1 { ... server = 1.1.1.1 basedn = ou=users,dc=test,dc=cz ... } ldap ldap2 { ... server = 2.2.2.2 basedn = ou=users,dc=test1,dc=cz .... } /etc/freeradius/sites-enabled/inner-tunnel: authorize { chap mschap unix suffix eap { ok=return } files ldap1 ldap2 expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP1 { ldap1 } Auth-Type LDAP2 { ldap2 } eap } It works. But i need send atributes to switch or Access Point: Tunnel-Type=VLAN, Tunnel-Medium-Type=IEEE-802, Tunnel-Private-Group-Id=1 for users from ldap1 and Tunnel-Type=VLAN, Tunnel-Medium-Type=IEEE-802, Tunnel-Private-Group-Id=2 for users from ldap2 I tried configure it in /etc/freeradius/users, but without success. Thank You for help Miroslav
On 12 Sep 2013, at 18:18, Miroslav Lednicky <miroslav.lednicky@fnusa.cz> wrote:
Hello,
I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and Ubuntu 12.04
authorize { ldap1 if (ok) { update reply { Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 1 } } elsif { ldap2 if (ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 2 } } } } Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Thank you, it works with simple modification (not too effective): ldap1 if (ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 1 } } ldap2 if (ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 2 } } Miroslav Dne 12.9.2013 19:36, Arran Cudbard-Bell napsal(a):
On 12 Sep 2013, at 18:18, Miroslav Lednicky <miroslav.lednicky@fnusa.cz <mailto:miroslav.lednicky@fnusa.cz>> wrote:
Hello,
I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and Ubuntu 12.04
authorize { ldap1 if (ok) { update reply {
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 1
} } elsif { ldap2 if (ok) { update reply {
Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 2 } } } }
Arran Cudbard-Bell <a.cudbardb@freeradius.org <mailto:a.cudbardb@freeradius.org>> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mgr. Miroslav Lednický
I am running freeradius 2.2.0, I have configured freeradius to authenticate against active directory and also offer eduroam service When I authenticate my username as “test” and password in to my wireless devices it works. However if I try to authenticate my username as test@abc.ac.uk it does not work because freeradius pass on test@abc.ac.uk to active directory without stripping out @abc.ac.uk as shown below: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test@abc.ac.uk [mschap] Client is using MS-CHAPv2 for test@abc.ac.uk, we need NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=test@abc.ac.uk [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-UNIVERSITY} -> --domain=UNIVERSITY [mschap] Creating challenge hash with username: test@abc.ac.uk [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=6d98addf3855kk34f22 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=278994tg713ccd713g8876666k1196faaf038ef Exec-Program output: Logon failure (0xc00004f) How can I fix the problem of authentication users that type in there local realm @abc.ac.uk with their username as well as proxing eduroam users? Basically, how do I authenticate local user or stripe local realm before pass to active directory for authentication?
On Fri, Sep 13, 2013 at 12:23:47AM +0100, trevor obba wrote:
expand: --username=%{mschap:User-Name:-None} -> --username=test@abc.ac.uk ... Exec-Program output: Logon failure (0xc00004f)
How can I fix the problem of authentication users that type in there local realm @abc.ac.uk with their username as well as proxing eduroam users? Basically, how do I authenticate local user or stripe local realm before pass to active directory for authentication?
Use unlang to strip the realm off, something like this before the call to eap: if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) { update request { Stripped-User-Name := "%{1}" } if ("%{3}") { update request { Realm := "%{3}" } } else { # this will reject requests that have no realm reject } } Then in your mschap module config use Stripped-User-Name instead of User-Name, e.g. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=abc.ac.uk --username=%{Stripped-User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Arran Cudbard-Bell -
Matthew Newton -
Miroslav Lednicky -
trevor obba