OpenDirectory VLAN Assignment by Group

Theparanoidone Theparanoidone theparanoidone at yahoo.com
Mon Aug 20 19:54:13 CEST 2012 

Greetings~

Previously using radius, we were able to assign VLAN based upon group membership using the following syntax in   /etc/raddb/users   :


DEFAULT Group-Name == "testgroup"
       Tunnel-Type = 13,
       Tunnel-Medium-Type = 6,
       Tunnel-Private-Group-Id = "100",
       Fall-Through = no

Now with FreeRADIUS Version 2.1.12, we are unable to make the above syntax work anymore.

After some reading, we stumbled upon a someone with a similar issue who claimed that you now have to place the post-auth section of   /etc/raddb/sites-enabled/default  ... we had to make some modifications to the syntax as well:

update reply {

                Tunnel-Private-Group-Id = 100
                Tunnel-Type = VLAN
                Tunnel-Medium-Type = IEEE-802
                Tunnel-Preference = 0x000000
}

While the above syntax does appear to properly assign the VLAN ... we are unable to match this against the Group-Name field  (so the following does not work): 

if(Group-Name == "testgroup") {
        update reply {
                Tunnel-Private-Group-Id = 100
                Tunnel-Type = VLAN
                Tunnel-Medium-Type = IEEE-802
                Tunnel-Preference = 0x000000
        }
}

We are able to get the if syntax to expand upon User-Name like the following  (just Group-Name doesn't work):

if(User-Name == "testuser") {
        update reply {
                Tunnel-Private-Group-Id = 100
                Tunnel-Type = VLAN
                Tunnel-Medium-Type = IEEE-802
                Tunnel-Preference = 0x000000
        }
}

However ... we appear unable to get any variable to expand that relates to group.   (we have tried Group Group-Name Ldap-Group LDAP-Group gid group all without success).   It would be ideal to base VLAN membership off of group as opposed to individual user.


Questions:

1)  Is there a way to echo out *all* variables that radiusd -X has access to at the time of testing so we can perhaps see what field contains the valid group on?

2)  Does anyone know what the variable for groups we should be using is?

3)  Is there documentation that covers the change in syntax as I described above?  (... I'm sure just not finding it but I have been looking)

(This is on the latest version of Apple's deployment of freeradius that relies on OpenDirectory)

(We will try and contact Apple as well... but I'm imaging this request will be beyond their capabilities... echoing out all variables may get us a solution faster???)

Thank you in advance for any advice or pointers to relevant documentation.

More information about the Freeradius-Users mailing list