freeRadius/LDAP per NAS access

Guy guy at britewhite.net
Tue Mar 8 13:54:41 CET 2011 

On 7 Mar 2011, at 22:14, Alexander Clouter wrote:

> Guy <guy at britewhite.net> wrote:
>> 
>> I now have FreeRadius granting access and using LDAP for username and 
>> password information.
>> 
>> My next challenge, using the same Radius and LDAP server I would like 
>> to grant different users access via different NAS clients.
>> 
>> eg in LDAP I would have:
>> 
>> uid=guy
>> services: VPN
>> services: WiFi
>> 
>> If I have the "services: VPN" then I would be allowed to connect to 
>> the VPN server and if I don't have that entry in my LDIF then it would 
>> not be allowed to access.
>> 
>> Any ideas on how to do this, simply?
>> 
> ..."Dear Lazyweb" eh?  You should really *attempt* to try, or show you 
> have attempted something, 

Dear Teacher", just like back at school "Please show your working.." :)

I did spend quite some time searching for the answer, however documentation "end-to-end" seems to be a little lacking.

> 
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html
> 
> Now use "%{client:keyword}" in your LDAP xlat search query...
> 

Thanks for the the hints.. I've now got this to work...

In modules/ldap

I changed filter to: 

	filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(authorizedService=%{client:service}))"

Then in clients.conf.. just added a an entry to each client:

client VPN_Server {
	secret	= ssshhh!
	shortname	= vpn
	nastype	 = other
	service = VPN
}


And finally for each user in the LDAP database I add the entry:

authorsizedService: VPN


That's it I can now control access to each client via VPN data.


> To be honest though, your approach *abuses* LDAP, you should be adding 
> them to a *group*, not bloating-up and overloading the user object; 
> otherwise you might as well use something horrible like SQL...
> 

I would argue that point most strongly but this is not the place..

Thanks again for the help

--Guy


> Cheers
> 
> -- 
> Alexander Clouter
> .sigmonster says: A woman can never be too rich or too thin.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list