posixAccount,posixGroup, and CiscoAVPair

Alan DeKok aland at deployingradius.com
Wed Mar 19 13:26:54 CET 2008


Pietro Accerboni wrote:
> Hi, here is my problem:
> 0) Cisco APs - Radius - Ldap authentication via 802.1x - PEAP - MSCHAPv2
> works.

  That's a good start.

> 1) I need to link the group of the user that try to authenticate with
> the SSID, so i can allow only a particular group of users to use a
> particular SSID/VLAN.

  i.e. IF the user is in SSID, AND he is NOT in a particular group, THEN
reject the request.

> 7) I really connot figure out a correct configuration of:
> * ldap module in radius.conf

  If PEAP works, your LDAP configuration is mostly OK.

> * selection in users

  See below.

> * mapping of group attribute in ldap.attrmap

  Don't.

> (radius.conf, module ldap)
...
>    compare_check_items = yes (if i do not set this, all users with valid
> credentials can log in!)

  Set this to "No".  The current configuration is preventing the
*proper* users from logging in:

> If you see in the bottom of the log, 'rlm_ldap::ldap_groupcmp: User
> found in group 801' but also 'rlm_ldap: Pairs do not match. Rejecting
user'
>
  See?  Don't set it.  It's not needed.

> (users)
>    DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group==800
>        Fall-Through = no

  This says "match SSID AND ldap group" ... and do nothing else.
Compare that to what you wrote in (1) above.

  What you want is:

DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group!=800, Auth-Type :=
Reject

  (all on one line).  See "man users" for a description of the operators.

  Alan DeKok.



More information about the Freeradius-Users mailing list