dynamic VLAN assignment w/ mschapv2 against AD and LDAP

Tue Jan 25 16:19:03 CET 2011

I believe I resolved this.  I used eapol_test to get all wanted
result, and will try on real NAS later on.

The following is what I did. Basically I followed Alexander's example,
Modified peap section in eap.conf to use another virtual server "auth"
instead of inner-tunnel virtual server.  I almost blindly copied
Alexander's example in auth server except I removed the reject for the
realm checks.

The ldap cache pm is not needed in my case since I do not query
windows AD via LDAP to get their attributes. If I want to do ldap
after ntlm against AD, then Alexander's pm might be needed.

Then I want to map certain attribute like employeeStatus from our
iPlanet ldap server to some radius attribute, so I can manipulate it
in the post-auth section.
I put the following line in etc/raddb/dictionary
ATTRIBUTE       My-Local-employeeStatus 3000    string

and the following line in etc/raddb/ldap.attrmap
#FOO specific attributes
replyItem       My-Local-employeeStatus         employeeStatus

Without these two line addition, radius will complain unknown attribute.

Then in the post-auth section

#default will have no Tunnel attribute/value, instead, they will be
configured on
#the NAS to go to student VLANs.

# this will cover my ldap ntPassword authentication/authorization
#facstaff have employeeStatus set while student does not
        if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) {
                update reply {
                        Service-Type = "Framed-User"
                        Tunnel-Type = "VLAN"
                        Tunnel-Medium-Type = "IEEE-802"
                        Tunnel-Private-Group-Id = "facstaff"
                }
        }
#this will cover my AD ntlm auth, People in AD are all facstaff
        if ( "%{User-Name}" !~ /@/  ) {
                update reply {
                        Service-Type = "Framed-User"
                        Tunnel-Type = "VLAN"
                        Tunnel-Medium-Type = "IEEE-802"
                        Tunnel-Private-Group-Id = "facstaff"
                }
        }

In this way, people can map arbitrary attribute from ldap to radius,
if not in dictionary/ldap.attrmap, then just defined your own. Then
you have flexibility of using these attribute/value in your logic at
post-auth section.

Thanks all for the hints and help!

Schilling

On Tue, Jan 25, 2011 at 4:23 AM, Alexander Clouter <alex at digriz.org.uk> wrote:
> schilling <schilling2006 at gmail.com> wrote:
>>
>> Thanks a lot.
>>
>> More questions.
>>
>> If you want to lower the load (and authentication latency) on your AD
>> servers then you might want to look at the following too:
>>
>> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html
>>
> First things first, did you get it all working?  If not, start there.
> When I say 'lower the load', all it does is reduce the number of EAP
> packets from about 12 to 4 that are needed for a session resumption; but
> also means you only need two LDAP lookups rather that 12.  So your AD
> load will go from 0.000001 to 0.0000000001 or something.  I am bigging
> up the numbers more than it is worth (although the latency bit is
> possibly handy for roaming devices).
>
>> I am trying to follow your comment on this.  I now realized we used to
>> run eDir and now converted to iplanet directory. Anyway, do I still
>> need to enable the compilation --with-edir option as stated below? My
>> guess is yes since otherwise, I could not call ldap in the post-auth
>> section in "auth" virtual server for eap.
>> ##etc/raddb/modules/ldap
>> #  Un-comment the following to disable Novell
>>                #  eDirectory account policy check and intruder
>>                #  detection. This will work *only if* FreeRADIUS is
>>                #  configured to build with --with-edir option.
>>                #
>>                #edir_account_policy_check = no
>>
>> What I want to do is just to check some attribute in our ldap server,
>> our structure is like the following:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=people,dc=foo,dc=edu> with scope subtree
>> # filter: uid=sding
>> # requesting: ALL
>> #
>>
>> # sding, People, foo.edu
>> dn: uid=sding,ou=People,dc=foo,dc=edu
>> ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE
>> fooEduPSHRdeptName: Information Technology Service (ITS)
>> fooEduPSHRDepartmentNumber: 123456
>> fooEduEmployeeStatus: Active
>> employeeStatus: Active
>> uid: sding
>>
> The eDir bit's are probably not needed as you are using mschap with
> those 'ntPassword' attributes.  eDir has 'universal password' which is a
> sales monkey's way of saying "the password is available in plaintext if
> required".  Sounds like to me you do not currently have FreeRADIUS setup
> working the way you want it to?
>
>> I would like to cache the following attribut/value in your example
>> cache_ldap-userdn.pm, so I can use these values as logic to assign
>> user to different VLANs.  Can I do that in your pm?
>> fooEduPSHRdeptName: Information Technology Service (ITS)
>> fooEduPSHRDepartmentNumber: 123456
>> fooEduEmployeeStatus: Active
>> employeeStatus: Active
>>
> Looks like 'employeeStatus' should go in as part of your user filter,
> but to do the others I would need to generalise my Perl module.  Easily
> done, but I'm not going to do it before I know actually have it already
> working. :)
>
> /me pats sigmonster and gives it a cookie
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: Success is a journey, not a destination.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>