interpret check-Item and change reply-item to set VLAN
Michael Bathe
michael.bathe at gfz-potsdam.de
Mon Sep 13 14:44:23 CEST 2010
Hallo Liste,
is there any how_to or solution to interpret the ldap checkItem and
change the replyItem (I think in inner-tunnel)?
f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the
replyItem should be set to '111'.
ldap.attrmap:
checkItem Tunnel-Private-Group-Id sectionNetwork
replyItem Tunnel-Private-Group-Id sectionNetwork
the following in users file wont work:
DEFAULT Tunnel-Private-Group-Id == "sec11"
Tunnel-Private-Group-Id=111,
Reply-Message += "changed "
DEFAULT Auth-Type == EAP
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Type = "VLAN",
Reply-Message += "Access success for %{User-Name}.",
Fall-Through = no
I use FreeRADIUS Version 2.1.6, for host i386-pc-solaris2.8, openLDAP,
802.1x with mschapv2. This works fine for me.
radiusd -X output:
...
rlm_ldap: performing search in dc=domain,dc=de, with filter (uid=user)
checking if remote access for user is allowed by uid
looking for check items in directory...
rlm_ldap: sectionNetwork -> Tunnel-Private-Group-Id:0 == "sec11"
rlm_ldap: sambaNTPassword -> NT-Password == <removed>
rlm_ldap: sambaLMPassword -> LM-Password == <removed>
looking for reply items in directory...
rlm_ldap: sectionNetwork -> Tunnel-Private-Group-Id:0 = "sec11"
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
...
++[eap] returns ok
} # server inner-tunnel
Got tunneled reply code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Reply-Message = "Access success for user."
Tunnel-Private-Group-Id:0 = "sec11"
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "user"
Got tunneled reply RADIUS code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Reply-Message = "Access success for user."
Tunnel-Private-Group-Id:0 = "sec11"
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "user"
Tunneled authentication was successful.
SUCCESS
Saving tunneled attributes for later
++[eap] returns handled
...
Sending Access-Accept of id 131 to 10.0.0.12 port 1645
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Reply-Message = "Access success for user."
Tunnel-Private-Group-Id:0 = "sec11"
User-Name = "user"
MS-MPPE-Recv-Key =
0x611ed2d5955bded1d3302045c5930fd4aad610a0b6f5aa1045ba0477f12b7eee
MS-MPPE-Send-Key =
0xc38e1cad9590596e3902a46a40706ad8bde70f05bde110698b631b503c00f51b
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
...
thanks and
beste Gruesse
Michael
More information about the Freeradius-Users
mailing list