problems with dynamic vlan assignment

Eric Doutreleau Eric.Doutreleau at it-sudparis.eu
Thu Sep 16 11:16:45 CEST 2010 

thanks for your replay

here what i did

in the ldap.attrmap i put
checkItem       User-Category eduPersonPrimaryAffiliation

in the user file i did
DEFAULT
         Tunnel-Type := VLAN,
         Tunnel-Medium-Type := IEEE-802,
         Tunnel-Private-Group-Id = 901,
         Fall-Through = Yes

DEFAULT User-Category == "student"
         Reply-Message = "Your a member of the student Group",
         Tunnel-Private-Group-Id = 902

DEFAULT User-Category == "employee"
         Reply-Message = "Your a member of the employee Group",
         Tunnel-Private-Group-Id = 903

in the inner-tunnel  file i have

authorize {
	chap
	mschap
	uni
	suffix
	update control {
	       Proxy-To-Realm := LOCAL
	}
	eap {
		ok = return
	}
	ldap
         files
	expiration
	logintime
	pap
}

i got the following logs
........

[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for doutrele
[ldap] 	expand: %{Stripped-User-Name} -> doutrele
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=doutrele)
[ldap] 	expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
   [ldap] eduPersonPrimaryAffiliation -> User-Category == "employee"
   [ldap] sambaNtPassword -> NT-Password == 
0x3846343134354531463530334232353337443430363846343942363633434143
   [ldap] sambaLmPassword -> LM-Password == 
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[files] users: Matched entry DEFAULT at line 166
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
......

THe line 166 in my users file is these ones
DEFAULT
         Tunnel-Type := VLAN,
         Tunnel-Medium-Type := IEEE-802,
         Tunnel-Private-Group-Id = 901,
         Fall-Through = Yes

and i don't match the following entries
DEFAULT User-Category == "employee"
         Reply-Message = "Your a member of the employee Group",
         Tunnel-Private-Group-Id = 903

and i really don't know why

Le 16/09/2010 09:44, Phil Mayers a écrit :
>
>> [ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
>> [ldap] ldap_get_conn: Checking Id: 0
>> [ldap] ldap_get_conn: Got Id: 0
>> [ldap] attempting LDAP reconnection
>> [ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0
>> [ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to
>> ldapdev.int-evry.fr:389
>> [ldap] waiting for bind result ...
>> [ldap] Bind was successful
>> [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
>> [ldap] looking for check items in directory...
>> [ldap] sambaNtPassword -> NT-Password ==
>> 0x3846343134354531463530334232353337443430363846343942363633434143
>> [ldap] sambaLmPassword -> LM-Password ==
>> 0x4434413632394242394536303843323438423045413541374446313335423033
>> [ldap] looking for reply items in directory...
>> [ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
>
> Two issues; first, as above you're adding the User-Category item from
> LDAP into the reply list, but the "files" syntax doesn't (can't) match
> items in the reply this. This:
>
> DEFAULT User-Category == "employee"
>
> means "match all request with the attribute User-Category == employee in
> the *request* items"
>
> Secondly, I think you're running LDAP after "files", so even if it could
> match, it would not.
>
> Try something like this in sites-available/inner-tunnel:
>
> authorize {
> ...
> ldap
> if (reply:User-Category == employee) {
> update reply {
> Tunnel-Private-Group-Id := 1234
> }
> }
> elsif (reply:User-Category == ...) {
> }
>
> }
>
> Or, modify your ldap.attrmap to put the User-Category into the request
> items (assuming your NAS doesn't need it) then move the files module
> after the ldap one.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list