ldap filter depending on NAS

Matthieu Lazaro matthieu.lazaro at eservglobal.com
Wed Apr 22 14:28:18 CEST 2009


tnt at kalik.net a écrit :
>> Here is one policy that I wish to make work.
>>
>> 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis
>> configuration on the switch)
>> --> this client has some of the following LDAP attributes:
>>           uid = bobalice
>>           radiusTunnelPrivateGroupID = 20
>>           radiusTunnelType = VLAN
>>           radiusMediumType = IEEE-802
>>           radiusCallingStationId = 00-21-42-42-87-b1
>>           radiusUserCategory = ADMIN
>> 2- Fisrt I want to checkthe following attributes, and if not correct,
>> reject the user:
>>           radiusTunnelType = VLAN
>>           radiusMediumType = IEEE-802
>>     
>
> Are those two attributes in the access request? If they are, map them as
> check items in ldap.attrmap.
>
>   
>>           radiusCallingStationId = 00-21-42-42-87-b1
>>     
>
> This is already in ldap.attrmap.
>
>   
>>           radiusUserCategory = ADMIN
>>     
>
> Where is that suposed to come from?
>
>   
>> 3- Then I want to authenticate and authorise the user if login/password
>> are correct
>>     
>
> Fine. Nothing to do.
>
>   
>> 4 - Then Move him into the appropriate VLAN ID 20 instead of  ID10 based
>> on this attribute:
>>         radiusTunnelPrivateGroupID = 20
>>     
>
> Map that as reply item in ldap.attrmap. You will need tunnel and medium
> type in the reply as well. So add them too.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>   
Here is the content of a packet received by radiusd:
rad_recv: Access-Request packet from host 10.1.1.2 port 1692, id=171,
length=302
        Framed-MTU = 1480
        NAS-IP-Address = 10.1.1.2
        NAS-Identifier = "Test Switch "
        User-Name = "bobalice"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 1
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "20"
        Called-Station-Id = "00-11-f3-1d-5d-00"
        Calling-Station-Id = "00-14-b2-7a-87-b4"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1"
        State = 0xff747043ff76690706eed2dfa8b93b90
        EAP-Message =
0x0202005019800981004616030100410100003d030149dce2350a464fb33bb5333ee36c942769f84056fcb49ef5371ee91f0503103800001600040005000a000990640062000300060013001200630100
        Message-Authenticator = 0xec90edc178afb509db4131a36bfe42fe

Futhermore, to reply to Alan about the radiusUserCategory, it is given
with the radius.schema for ldap. Is it a useless attribute then?
I'll be checking this afternoon and testing about putting more info in
ldap.attrmap to see if the filters work.
I let you know.

Regards,

Matt

 




More information about the Freeradius-Users mailing list