Re-write Attributes based upon NAS-Port-Type and LDAP authorization response

Bill Carr bcarr at commsolutions.com
Wed Jun 21 20:27:58 CEST 2006 

Hello Folks,

I've posted something similar to this in the past and my question was
answered rather tersely.   I'm hoping a little more detail will invoke
the type of kind responses I'm used to in the Open Source Community.

I've got FreeRadius on RedHat ES3 authenticating users to OpenLDAP.  

So far we've simply been authenticating users via 802.1x on Wired Switch
ports and we've now added new equipment for WIFI which requires the
RFC3580 attributes (instead of the Filter-ID we've populated in our LDAP
schema).

I believe it should be relatively simple to perform the following
check's to "re-write" my attributes for the WIFI
Gear.  I can base the decision to re-write on the NAS-Port-Type
received.   

My pseudo-code thought process is outlined below (I'm not a coder, would
never profess to be; thus my post!):

             if NAS-Port-Type == "Wireless - IEEE 802.11"
 
             then
 
                         Tunnel-Medium-Type == IEEE-802
                         Tunnel-Type == VLAN
 
                         if Filter-ID =~ "Internet-Restricted"
 
                                     then Tunnel-Private-Group-ID == 155
       					 (or the Restricted VLANID)
 
                         elseif Filter-ID =~ "Allow-All"
 
                                     then Tunnel-Private-Group-ID == 156
        					(or the Allowed VLANID).
 
                         endif

		endif

My reading thus far has lead me to test my reply attribute requirements
from the "users" file and that works perfectly.   If someone could point
me in a simple direction on how to strip/rewrite the attributes based on
the 'authorization' reply from LDAP, I'd be indebted.  I've seen
examples of profiles stored on LDAP, but I'm curious how I could choose
a different profile based upon the "NAS-Port-Type" received in the
Access-Request


Here's what I did in the "users" file to test successfully (I don't know
that it's of any value but to demonstrate what I'm trying to
accomplish).

testuser	User-Password == "user",	NAS-Port-Type ==
"Wireless-802.11"
		Tunnel-Medium-Type == "IEEE-802",
		Tunnel-Type == "VLAN",
		Tunnel-Private-Group-Id == "155"

testuser 	User-Password == "user",	NAS-Port-Type ==
"Ethernet"
		Filter-ID ==
"Enterasys:version=1:policy=Internet-Restricted"


admin		User-Password == "admin",	NAS-Port-Type ==
"Wireless-802.11"
		Tunnel-Medium-Type == "IEEE-802",
		Tunnel-Type == "VLAN",
		Tunnel-Private-Group-Id == "156"

admin 	User-Password == "admin",	NAS-Port-Type == "Ethernet"
		Filter-ID == "Enterasys:version=1:policy=Allow-All"


Thanks to all in advance.
 
Bill

More information about the Freeradius-Users mailing list