interpret check-Item and change reply-item to set VLAN

Michael Bathe michael.bathe at gfz-potsdam.de
Mon Sep 13 14:44:23 CEST 2010 

Hallo Liste,

is there any how_to or solution to interpret the ldap checkItem and
change the replyItem (I think in inner-tunnel)?
f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the
replyItem should be set to '111'.

ldap.attrmap:
checkItem       Tunnel-Private-Group-Id         sectionNetwork
replyItem       Tunnel-Private-Group-Id         sectionNetwork

the following in users file wont work:

DEFAULT Tunnel-Private-Group-Id == "sec11"
        Tunnel-Private-Group-Id=111,
        Reply-Message += "changed "

DEFAULT Auth-Type == EAP
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Type = "VLAN",
        Reply-Message += "Access success for %{User-Name}.",
        Fall-Through = no

I use FreeRADIUS Version 2.1.6, for host i386-pc-solaris2.8, openLDAP,
802.1x with mschapv2. This works fine for me.

radiusd -X output:
...
rlm_ldap: performing search in dc=domain,dc=de, with filter (uid=user)
checking if remote access for user is allowed by uid
looking for check items in directory...
rlm_ldap: sectionNetwork -> Tunnel-Private-Group-Id:0 == "sec11"
rlm_ldap: sambaNTPassword -> NT-Password == <removed>
rlm_ldap: sambaLMPassword -> LM-Password == <removed>
looking for reply items in directory...
rlm_ldap: sectionNetwork -> Tunnel-Private-Group-Id:0 = "sec11"
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
...
++[eap] returns ok
} # server inner-tunnel
Got tunneled reply code 2
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        Reply-Message = "Access success for user."
        Tunnel-Private-Group-Id:0 = "sec11"
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "user"
Got tunneled reply RADIUS code 2
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        Reply-Message = "Access success for user."
        Tunnel-Private-Group-Id:0 = "sec11"
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "user"
Tunneled authentication was successful.
SUCCESS
Saving tunneled attributes for later
++[eap] returns handled
 ...
Sending Access-Accept of id 131 to 10.0.0.12 port 1645
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        Reply-Message = "Access success for user."
        Tunnel-Private-Group-Id:0 = "sec11"
        User-Name = "user"
        MS-MPPE-Recv-Key =
0x611ed2d5955bded1d3302045c5930fd4aad610a0b6f5aa1045ba0477f12b7eee
        MS-MPPE-Send-Key =
0xc38e1cad9590596e3902a46a40706ad8bde70f05bde110698b631b503c00f51b
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
...

thanks and

beste Gruesse

Michael

More information about the Freeradius-Users mailing list