posixAccount,posixGroup, and CiscoAVPair

Pietro Accerboni ace at sissa.it
Wed Mar 19 15:05:15 CET 2008 

Thanks a lot for the quick answer, it works!
So the ldap filters i wrote are ok, the problem was on the users file. I 
have 2 more questions:
1) Now i check the group membership with a numeric constant, like  
Ldap-Group!=800.
Say the ldap posixGroup entry is:
cn=staff,dc=mydomain,dc=it
cn=staff
gidNumber=<gid>
...
I want to pick out the gid from the group 'staff', whatever this numer 
is, and check this number in the users file.
May I write something like 
gid=%{ldap:ldap://dc=mydomain,dc=it?gidNumber?sub?(&(posixGroup)(cn=staff))}, 
and then use this var in the
test Ldap-Group!=<gid> in users file?
2) Maybe a stupid question.
I found very difficult to have a clear understanding of how to configure 
freeradius, from the documentation that comes with the rpm/deb package 
and the one i found on freeradius.org.
Also i look for a book, but the only one i found is 'Radius' from 
O'Reilly, that is old and far far far away from a 'good book'.
Is there some paper, some book, some doc that explain clearly the 
freeradius world? From a general point of view (Radius Protocol, 
Difference in Authorization and Authentication section, etc..) to the 
details (how freeradius use the request attrs/config attrs/reply attrs, 
the gory details of the single module configuration switch - see my 
mistake with  'compare_check_items=yes' in ldap, etc.)?

Thanks
 Pietro

Alan DeKok wrote:
> Pietro Accerboni wrote:
>   
>> Hi, here is my problem:
>> 0) Cisco APs - Radius - Ldap authentication via 802.1x - PEAP - MSCHAPv2
>> works.
>>     
>
>   That's a good start.
>
>   
>> 1) I need to link the group of the user that try to authenticate with
>> the SSID, so i can allow only a particular group of users to use a
>> particular SSID/VLAN.
>>     
>
>   i.e. IF the user is in SSID, AND he is NOT in a particular group, THEN
> reject the request.
>
>   
>> 7) I really connot figure out a correct configuration of:
>> * ldap module in radius.conf
>>     
>
>   If PEAP works, your LDAP configuration is mostly OK.
>
>   
>> * selection in users
>>     
>
>   See below.
>
>   
>> * mapping of group attribute in ldap.attrmap
>>     
>
>   Don't.
>
>   
>> (radius.conf, module ldap)
>>     
> ...
>   
>>    compare_check_items = yes (if i do not set this, all users with valid
>> credentials can log in!)
>>     
>
>   Set this to "No".  The current configuration is preventing the
> *proper* users from logging in:
>
>   
>> If you see in the bottom of the log, 'rlm_ldap::ldap_groupcmp: User
>> found in group 801' but also 'rlm_ldap: Pairs do not match. Rejecting
>>     
> user'
>   
>   See?  Don't set it.  It's not needed.
>
>   
>> (users)
>>    DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group==800
>>        Fall-Through = no
>>     
>
>   This says "match SSID AND ldap group" ... and do nothing else.
> Compare that to what you wrote in (1) above.
>
>   What you want is:
>
> DEFAULT Cisco-AVPair=="ssid=SISSA-STAFF", Ldap-Group!=800, Auth-Type :=
> Reject
>
>   (all on one line).  See "man users" for a description of the operators.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list