dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Alexander Clouter
alex at digriz.org.uk
Tue Jan 25 10:23:38 CET 2011
schilling <schilling2006 at gmail.com> wrote:
>
> Thanks a lot.
>
> More questions.
>
> If you want to lower the load (and authentication latency) on your AD
> servers then you might want to look at the following too:
>
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html
>
First things first, did you get it all working? If not, start there.
When I say 'lower the load', all it does is reduce the number of EAP
packets from about 12 to 4 that are needed for a session resumption; but
also means you only need two LDAP lookups rather that 12. So your AD
load will go from 0.000001 to 0.0000000001 or something. I am bigging
up the numbers more than it is worth (although the latency bit is
possibly handy for roaming devices).
> I am trying to follow your comment on this. I now realized we used to
> run eDir and now converted to iplanet directory. Anyway, do I still
> need to enable the compilation --with-edir option as stated below? My
> guess is yes since otherwise, I could not call ldap in the post-auth
> section in "auth" virtual server for eap.
> ##etc/raddb/modules/ldap
> # Un-comment the following to disable Novell
> # eDirectory account policy check and intruder
> # detection. This will work *only if* FreeRADIUS is
> # configured to build with --with-edir option.
> #
> #edir_account_policy_check = no
>
> What I want to do is just to check some attribute in our ldap server,
> our structure is like the following:
> # extended LDIF
> #
> # LDAPv3
> # base <ou=people,dc=foo,dc=edu> with scope subtree
> # filter: uid=sding
> # requesting: ALL
> #
>
> # sding, People, foo.edu
> dn: uid=sding,ou=People,dc=foo,dc=edu
> ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE
> fooEduPSHRdeptName: Information Technology Service (ITS)
> fooEduPSHRDepartmentNumber: 123456
> fooEduEmployeeStatus: Active
> employeeStatus: Active
> uid: sding
>
The eDir bit's are probably not needed as you are using mschap with
those 'ntPassword' attributes. eDir has 'universal password' which is a
sales monkey's way of saying "the password is available in plaintext if
required". Sounds like to me you do not currently have FreeRADIUS setup
working the way you want it to?
> I would like to cache the following attribut/value in your example
> cache_ldap-userdn.pm, so I can use these values as logic to assign
> user to different VLANs. Can I do that in your pm?
> fooEduPSHRdeptName: Information Technology Service (ITS)
> fooEduPSHRDepartmentNumber: 123456
> fooEduEmployeeStatus: Active
> employeeStatus: Active
>
Looks like 'employeeStatus' should go in as part of your user filter,
but to do the others I would need to generalise my Perl module. Easily
done, but I'm not going to do it before I know actually have it already
working. :)
/me pats sigmonster and gives it a cookie
Cheers
--
Alexander Clouter
.sigmonster says: Success is a journey, not a destination.
More information about the Freeradius-Users
mailing list