Dynamic Vlan Allocation based on LDAP Attribute Value
Paul Dealy
pdealy at gmail.com
Fri Feb 13 13:39:49 CET 2009
On Fri, Feb 13, 2009 at 11:22 PM, Michael Schwartzkopff
<misch at multinet.de> wrote:
> Am Freitag, 13. Februar 2009 12:36:09 schrieb Paul Dealy:
>> On Fri, Feb 13, 2009 at 10:16 PM, Michael Schwartzkopff
>>
>> <misch at multinet.de> wrote:
>> > Am Freitag, 13. Februar 2009 11:54:29 schrieb Paul Dealy:
>> >> On Fri, Feb 13, 2009 at 9:12 PM, Michael Schwartzkopff
>> >>
>> >> <misch at multinet.de> wrote:
>> >> > Am Freitag, 13. Februar 2009 11:00:10 schrieb Paul Dealy:
>> >> >> On Fri, Feb 13, 2009 at 6:37 PM, Michael Schwartzkopff
>> >> >>
>> >> >> <misch at multinet.de> wrote:
>> >> >> > Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy:
>> >> >> >> I have a working radius server (ver 1.1.3). which I am using for
>> >> >> >> 802.1x authentication of wired switch ports. I would like to
>> >> >> >> dynamically assign users vlans. I have cisco gear and have
>> >> >> >> achieved basic vlan allocation by configuring a Default entry in
>> >> >> >> the users file. So the vlan allocation part works ok.
>> >> >> >>
>> >> >> >> What I want to be able to do is allocate the vlan by matching the
>> >> >> >> value of an LDAP attribute. Not by group membership, but the
>> >> >> >> actual value of a users attribute. Is this possible?
>> >> >> >>
>> >> >> >> Cheers,
>> >> >> >> Dealy
>> >> >> >
>> >> >> > Yes. Just assign these attributes to the user object in LDAP.
>> >> >>
>> >> >> I have a value set for an attribute in LDAP, how do I "extract" the
>> >> >> value from the attribute and do a comparison on it in the users file
>> >> >> so I can set the VLAN?
>> >> >
>> >> > Hi,
>> >> >
>> >> > I don't remember exactly what I did on version 1. Please see:
>> >> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html
>> >> > for some hints.
>> >> >
>> >> > I had something like
>> >> >
>> >> > DEFAULT Auth-Type .= LDAP
>> >> > Reply-Message = "Auth by LADP"
>> >> >
>> >> > in my users file. Other attributes stored in an object of objectClass
>> >> > radiusprofile should be added automatically to the Reply attributes.
>> >>
>> >> I don't actually want to add radiusprofile attributes to my LDAP. The
>> >> users already have an attribute which identifies their department. I
>> >> want to be able to say if "department attribute = X then allocate VLAN
>> >> Y". Can this be done without specifically setting the vlan etc as
>> >> radiusprofile attributes. Also I am not using ldap for the
>> >> authentication, just authorization. The authentication is done using
>> >> ntlm_auth.
>> >
>> > Then you would habe to re-map some LDAP-attribute of your objectClass to
>> > Tunnel-Private-Group-ID. The Tunnel-Type=VLAN and
>> > Tunnel-Medium-Type=IEEE-802 could be set in the DEFAULT section of the
>> > users file.
>> >
>> > Please see the ldap.attrmap in your raddb dir for the mapping of
>> > attributes.
>>
>> Am I correct in saying that the LDAP-attribute that is mapped to
>> Tunnel-Private-Group-ID would need to be set to the value of the the
>> VLAN I require? The LDAP-attribute that I wish to use curently
>> contains values like "ITISCP" and "ENISCP". I want to say if
>> attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID
>> = 226). Using ldap.attrmap mappings I would need to store the
>> required vlan in a LDAP attribute. (I can't change the LDAP only read
>> it).
>
> Even more complicated. Sorry., I did not read your previous mail completely.
>
> Sending the department attribute (i.e. "ITISCP") might work if the switch
> understand it and can map it to the correct VLAN numbers. As fas as I know,
> this can be done with Cisco. On other switches you have to see in the user
> manual if you can attach names to VLANs.
>
> Otherwise you would have to add a new ou=profiles with severeal cn=<profile> of
> the objectClass radiusprofile. This radiusprofile would indicate the correct
> VLAN number.
>
> Then you could use the profile_attribute of the ldap module to point to the
> correct LDAP attribute of the user object that points to the correct
> attribute. But you would have to fill that attribute manually with something
> like:
> cn=vlan42profile,ou=profiles,ou=radius,dc=sample,dc=org
>
> Perhaps it is better to do that automated by scripting deducted from the
> department attribute every hour. But when you start scripting that you also
> could deduct the VLAN number fro mthe department and fill this into a attribute
> of the user itself and change ldap.attrmap pointing to that attribute.
>
> Greetings,
> --
> Dr. Michael Schwartzkopff
> MultiNET Services GmbH
> Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
> Tel: +49 - 89 - 45 69 11 0
> Fax: +49 - 89 - 45 69 11 21
> mob: +49 - 174 - 343 28 75
>
> mail: misch at multinet.de
> web: www.multinet.de
>
> Sitz der Gesellschaft: 85630 Grasbrunn
> Registergericht: Amtsgericht München HRB 114375
> Geschäftsführer: Günter Jurgeneit, Hubert Martens
>
> ---
>
> PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
> Skype: misch42
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Thanks for your help. Looks like I need to talk to the ldap admins
and get them to script populating the radiusprofile attributes. It's
a pity, because getting changes made to ldap becomes a big red tape
exercise within the department.
More information about the Freeradius-Users
mailing list