Map LDAP Attribute to RADIUS Attribute

Paul Asadoorian paul at pauldotcom.com
Wed Jul 19 17:05:49 CEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thibault,

Thank you for reviewing my post.

Here is a little more information:

The RADIUS client is actually an Aruba wireless controller.  It had  
an attribute already defined called "User-Category".  I also checked  
the dictionary file for "User-Category" and this is what I found:

# grep User-Category *
dictionary.freeradius.internal:ATTRIBUTE        User- 
Category                           1029    string

I am happy to change my attribute to something more standard or  
different if this seems to be the problem

Thank You!

Paul

On Jul 19, 2006, at 10:34 AM, Thibault Le Meur wrote:

>>
>> I am running FreeRADIUS version 1.1.2 on Debian Linux (Stable x86).
>> I am trying to map an LDAP attribute to a RADIUS attribute.
>> A little
>> background, we have a RADIUS client that needs to make decisions
>> based on an LDAP attribute (we'll call it User-Category).  Based on
>> the value of this attribute the end user will be given rights on the
>> network.  So, I setup my ldap.attrmap with *only* the following line:
>>
>> replyItem       User-Category                   orgPrimaryAffiliation
>>
>
>> rlm_ldap: Adding orgPrimaryAffiliation as User-Category, value
>
>> auth: type "LDAP"
>>    Processing the authenticate section of radiusd.conf
>> modcall: entering group LDAP for request 4
>> rlm_ldap: - authenticate
>> rlm_ldap: login attempt by "mytestuser" with password "12345"
>> rlm_ldap: user DN: orgUUID=53d66879-e0a0-
>> da8f-4c49-514b567713ad,ou=People,dc=org,dc=com
>> rlm_ldap: (re)connect to ldapserver.org.com:389, authentication 1
>> rlm_ldap: bind as orgUUID=53d66879-e0a0-
>> da8f-4c49-514b567713ad,ou=People,dc=org,dc=com/12345 to
>> ldapserver.org.com:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: user mytestuser authenticated succesfully
>>    modcall[authenticate]: module "ldap" returns ok for request 4
>> modcall: leaving group LDAP (returns ok) for request 4
>> Sending Access-Accept of id 192 to 127.0.0.1 port 32904
>> Finished request 4
>
> Ok everything seems ok untill now...
>
>
>> The problem is that I never see the RADIUS server return the "User-
>> Category" attribute back to the RADIUS client.  It seems to
>> only want
>> to send the "Access-Accept" or "Access-Reject" message with no User-
>> Category value.  I tried including the "User-Category" in the
>> request
>> with no luck. I also modified the "attrs" file to include this
>> attribute:
>>
>> DEFAULT
>>          Service-Type == Framed-User,
>>          Service-Type == Login-User,
>>          Login-Service == Telnet,
>>          Login-Service == Rlogin,
>>          Login-Service == TCP-Clear,
>>          Login-TCP-Port <= 65536,
>>          Framed-IP-Address == 255.255.255.254,
>>          Framed-IP-Netmask == 255.255.255.255,
>>          Framed-Protocol == PPP,
>>          Framed-Protocol == SLIP,
>>          Framed-Compression == Van-Jacobson-TCP-IP,
>>          Framed-MTU >= 576,
>>          Framed-Filter-ID =* ANY,
>>          Reply-Message =* ANY,
>>          User-Category =* ANY,
>>          Proxy-State =* ANY,
>>          Session-Timeout <= 28800,
>>          Idle-Timeout <= 600,
>>          Port-Limit <= 2
>>
>> But no luck there either.  Any help is greatly appreciated.
>
> Yes, but I don't think you can create a new Radius attribute like  
> this. You
> should at least declare it in a dictionnary (wince a Radius attribute
> corresponds to a number in fact).
>
> See /etc/raddb/dictionnary and any Included files.
>
> Can anyone confirm my analysis and propose a procedure to create new
> attributes ?
> Isn't i necessary to register new attributes/number somewhere ? Is it
> possible to define "private attributes" ?
>
> Regards,
> Thibault
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html
>

- --
Paul Asadoorian
Email:   paul at pauldotcom.com
Web:     http://pauldotcom.com
IRC:      #pauldotcom | irc.freenode.net

Fingerprint: 2693 0204 8497 2E5F 4853  11D5 1153 6151 487F E094






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEvkpOEVNhUUh/4JQRAkLYAJ9A9E//OYrXhxqDL1c3R9Pug6DrdQCfcuol
nHLn4xrMTZwDskv6eLGrG40=
=lqlM
-----END PGP SIGNATURE-----



More information about the Freeradius-Users mailing list