Dynamic Vlan Allocation based on LDAP Attribute Value

Paul Dealy pdealy at gmail.com
Tue Feb 17 02:15:07 CET 2009

On Tue, Feb 17, 2009 at 11:44 AM,  <tnt at kalik.net> wrote:
>>I'm using version 1.1.3 so, I moved the "files" entry below the ldap
>>entry but my DEFAULT entry in the file: users does not match or return
>>any value.
> You should upgrade. Did something else match in files? Post the debug.

Stuck with this version for now.

I have a "catchall" DEFAULT entry with no comparison which set the
vlan.  But it didn't match on the userORGUNIT ldap attribute. value

modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for asmith
radius_xlat:  '(&(objectClass=inetOrgPerson)(cn=asmith))'
radius_xlat:  'o=sut'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=sut, with filter
rlm_ldap: checking if remote access for asmith is allowed by userORGUNIT
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userORGUNIT as userORGUNIT, value ISITCP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user asmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
    users: Matched entry DEFAULT at line 25
  modcall[authorize]: module "files" returns ok for request 2
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 35 to xxx.xxx.xxx.xxx port 1645
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "226"
        EAP-Message =
        EAP-Message =
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb4d641b20399b8f92c0d9fb148763ead
Finished request 2
Going to the next request

The users file looks like:

        tunnel-type = VLAN,
        tunnel-medium-type = IEEE-802,
        tunnel-private-group-ID = 5,
        Fall-Through = No

        tunnel-type = VLAN,
        tunnel-medium-type = IEEE-802,
        tunnel-private-group-ID = 226,
        Fall-Through = No

> Ivan Kalik
> Kalik Informatika ISP
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list