ldap filter depending on NAS
Matthieu Lazaro
matthieu.lazaro at eservglobal.com
Wed Apr 22 14:28:18 CEST 2009
tnt at kalik.net a écrit :
>> Here is one policy that I wish to make work.
>>
>> 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis
>> configuration on the switch)
>> --> this client has some of the following LDAP attributes:
>> uid = bobalice
>> radiusTunnelPrivateGroupID = 20
>> radiusTunnelType = VLAN
>> radiusMediumType = IEEE-802
>> radiusCallingStationId = 00-21-42-42-87-b1
>> radiusUserCategory = ADMIN
>> 2- Fisrt I want to checkthe following attributes, and if not correct,
>> reject the user:
>> radiusTunnelType = VLAN
>> radiusMediumType = IEEE-802
>>
>
> Are those two attributes in the access request? If they are, map them as
> check items in ldap.attrmap.
>
>
>> radiusCallingStationId = 00-21-42-42-87-b1
>>
>
> This is already in ldap.attrmap.
>
>
>> radiusUserCategory = ADMIN
>>
>
> Where is that suposed to come from?
>
>
>> 3- Then I want to authenticate and authorise the user if login/password
>> are correct
>>
>
> Fine. Nothing to do.
>
>
>> 4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based
>> on this attribute:
>> radiusTunnelPrivateGroupID = 20
>>
>
> Map that as reply item in ldap.attrmap. You will need tunnel and medium
> type in the reply as well. So add them too.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
Here is the content of a packet received by radiusd:
rad_recv: Access-Request packet from host 10.1.1.2 port 1692, id=171,
length=302
Framed-MTU = 1480
NAS-IP-Address = 10.1.1.2
NAS-Identifier = "Test Switch "
User-Name = "bobalice"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "20"
Called-Station-Id = "00-11-f3-1d-5d-00"
Calling-Station-Id = "00-14-b2-7a-87-b4"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0xff747043ff76690706eed2dfa8b93b90
EAP-Message =
0x0202005019800981004616030100410100003d030149dce2350a464fb33bb5333ee36c942769f84056fcb49ef5371ee91f0503103800001600040005000a000990640062000300060013001200630100
Message-Authenticator = 0xec90edc178afb509db4131a36bfe42fe
Futhermore, to reply to Alan about the radiusUserCategory, it is given
with the radius.schema for ldap. Is it a useless attribute then?
I'll be checking this afternoon and testing about putting more info in
ldap.attrmap to see if the filters work.
I let you know.
Regards,
Matt
More information about the Freeradius-Users
mailing list