Dynamic Vlan Allocation based on LDAP Attribute Value

Michael Schwartzkopff misch at multinet.de
Fri Feb 13 13:22:46 CET 2009


Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy:
> On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff
>
> <misch at multinet.de> wrote:
> > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy:
> >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff
> >>
> >> <misch at multinet.de> wrote:
> >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy:
> >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff
> >> >>
> >> >> <misch at multinet.de> wrote:
> >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy:
> >> >> >> I have a working radius server (ver 1.1.3). which I am using for
> >> >> >> 802.1x authentication of wired switch ports.  I would like to
> >> >> >> dynamically assign users vlans.  I have cisco gear and have
> >> >> >> achieved basic vlan allocation by configuring a Default entry in
> >> >> >> the users file.   So the vlan allocation part works ok.
> >> >> >>
> >> >> >> What I want to be able to do is allocate the vlan by matching the
> >> >> >> value of an LDAP attribute.  Not by group membership, but the
> >> >> >> actual value of a users attribute.  Is this possible?
> >> >> >>
> >> >> >> Cheers,
> >> >> >> Dealy
> >> >> >
> >> >> > Yes. Just assign these attributes to the user object in LDAP.
> >> >>
> >> >> I have a value set for an attribute in LDAP, how do I "extract" the
> >> >> value from the attribute  and do a comparison on it in the users file
> >> >> so I can set the VLAN?
> >> >
> >> > Hi,
> >> >
> >> > I don't remember exactly what I did on version 1. Please see:
> >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html
> >> > for some hints.
> >> >
> >> > I had something like
> >> >
> >> > DEFAULT Auth-Type .= LDAP
> >> >        Reply-Message = "Auth by LADP"
> >> >
> >> > in my users file. Other attributes stored in an object of objectClass
> >> > radiusprofile should be added automatically to the Reply attributes.
> >>
> >> I don't actually want to add radiusprofile attributes to my LDAP.  The
> >> users already have an attribute which identifies their department.  I
> >> want to be able to say if "department attribute = X then allocate VLAN
> >> Y".  Can this be done without specifically setting the vlan etc as
> >> radiusprofile attributes.  Also I am not using ldap for the
> >> authentication, just authorization.  The authentication is done using
> >> ntlm_auth.
> >
> > Then you would habe to re-map some LDAP-attribute of your objectClass to
> > Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and
> > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the
> > users file.
> >
> > Please see the ldap.attrmap in your raddb dir for the mapping of
> > attributes.
>
> Am I correct in saying that the LDAP-attribute that is mapped to
> Tunnel-Private-Group-ID would need to be set to the value of the the
> VLAN I require?  The  LDAP-attribute that I wish to use curently
> contains values like "ITISCP" and "ENISCP".  I want to say if
> attribute value  == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID
> = 226).  Using ldap.attrmap mappings I would need to store the
> required vlan in a LDAP attribute.  (I can't change the LDAP only read
> it).

Even more complicated. Sorry., I did not read your previous mail completely.

Sending the department attribute (i.e. "ITISCP") might work if the switch 
understand it and can map it to the correct VLAN numbers. As fas as I know, 
this can be done with Cisco. On other switches you have to see in the user 
manual if you can attach names to VLANs.

Otherwise you would have to add a new ou=profiles with severeal cn=<profile> of 
the objectClass radiusprofile. This radiusprofile would indicate the correct 
VLAN number. 

Then you could use the profile_attribute of the ldap module to point to the 
correct LDAP attribute of the user object that points to the correct 
attribute.  But you would have to fill that attribute manually with something 
like:
cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org

Perhaps it is better to do that automated by scripting deducted from the 
department attribute every hour. But when you start scripting that you also 
could deduct the VLAN number fro mthe department and fill this into a attribute 
of the user itself and change ldap.attrmap pointing to that attribute.

Greetings,
-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: misch at multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42




More information about the Freeradius-Users mailing list