posixAccount,posixGroup, and CiscoAVPair
Alan DeKok
aland at deployingradius.com
Wed Mar 19 13:26:54 CET 2008
Pietro Accerboni wrote:
> Hi, here is my problem:
> 0) Cisco APs - Radius - Ldap authentication via 802.1x - PEAP - MSCHAPv2
> works.
That's a good start.
> 1) I need to link the group of the user that try to authenticate with
> the SSID, so i can allow only a particular group of users to use a
> particular SSID/VLAN.
i.e. IF the user is in SSID, AND he is NOT in a particular group, THEN
reject the request.
> 7) I really connot figure out a correct configuration of:
> * ldap module in radius.conf
If PEAP works, your LDAP configuration is mostly OK.
> * selection in users
See below.
> * mapping of group attribute in ldap.attrmap
Don't.
> (radius.conf, module ldap)
...
> compare_check_items = yes (if i do not set this, all users with valid
> credentials can log in!)
Set this to "No". The current configuration is preventing the
*proper* users from logging in:
> If you see in the bottom of the log, 'rlm_ldap::ldap_groupcmp: User
> found in group 801' but also 'rlm_ldap: Pairs do not match. Rejecting
user'
>
See? Don't set it. It's not needed.
> (users)
> DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group==800
> Fall-Through = no
This says "match SSID AND ldap group" ... and do nothing else.
Compare that to what you wrote in (1) above.
What you want is:
DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group!=800, Auth-Type :=
Reject
(all on one line). See "man users" for a description of the operators.
Alan DeKok.
More information about the Freeradius-Users
mailing list