ldap filter depending on NAS

Alan DeKok aland at deployingradius.com
Wed Apr 22 13:40:56 CEST 2009 

Matthieu Lazaro wrote:
> 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis
> configuration on the switch)

  The client connects via 802.1X.  It doesn't connect on a VLAN.  VLAN
assignment comes *after* the client has been authenticated.

> --> this client has some of the following LDAP attributes:
>           uid = bobalice
>           radiusTunnelPrivateGroupID = 20
>           radiusTunnelType = VLAN
>           radiusMediumType = IEEE-802

  If you list those in raddb/ldap.attrmap, they should automatically be
returned.  But they're not in the default ldap.attrmap.

>           radiusCallingStationId = 00-21-42-42-87-b1
>           radiusUserCategory = ADMIN

  There is no such thing as "radiusUserCategory" in the default
configuration.

  Part of the issue is that you're confusing *reply* attributes with
*check* attributes.  See ldap.attrmap for more information on how LDAP
attributes are used.

> 2- Fisrt I want to checkthe following attributes, and if not correct,
> reject the user:
>           radiusTunnelType = VLAN
>           radiusMediumType = IEEE-802
>           radiusCallingStationId = 00-21-42-42-87-b1
>           radiusUserCategory = ADMIN

  What do you mean "Not correct"?  Those are *LDAP* attributes.  The
RADIUS server receives *RADIUS* attributes.

  *PLEASE* ensure that you use the correct terminology.  Using the wrong
terminology is bad.  i.e. referring to RADIUS concepts by LDAP names.

  And the RADIUS request will *not* contain Tunnel-Type,
Tunnel-Medium-Type, or "user category".  It *will* contain the
Calling-Station-Id.

  Maybe you missed the part of my email where I said look at the
contents of the *RADIUS* packet.  You don't seem to have done that.  I
don't give suggestions at random.  They're here for a *reason*.

> 3- Then I want to authenticate and authorise the user if login/password
> are correct

  OK.

> 4 - Then Move him into the appropriate VLAN ID 20 instead of  ID10 based
> on this attribute:
>         radiusTunnelPrivateGroupID = 20

  If you add that as a replyItem to ldap.attrmap, it should work.

> For now, I only have been able to make work the RadiusCallingStationId
> using checkval.

  That shouldn't be necessary.  The LDAP module will treat it as a
checkItem all by itself.  See ldap.attrmap.

> Hoping this is much much more precise and clearer, I really wish to
> discover what am I missing.

  You're using the wrong terminology.  You're not following instructions.

  Alan DeKok.

More information about the Freeradius-Users mailing list