Authorization with Active Directory

Phil Mayers p.mayers at imperial.ac.uk
Thu Jan 26 17:42:28 CET 2012 

On 01/26/2012 02:41 PM, suggestme wrote:

> ## I tried using Called-Station-Id to check the condition; which is ok for
> now for testing ; but which I guess is not feasible if there are thousands
> of NAS devices. I don't know what would be best test condition for this.

There are many options. You could match on Client-Shortname with the 
following client def:

client VPN-1 {
   ipaddr = 192.0.2.1
   secret = ...
}

...and then in authorize:

authorize {
   ...
   if (Client-Shortname =~ /^VPN/) {
    ..
   }
}

Or use Huntgroup-Name and huntgroups.

>
> But now I am facing the problem that I can't use more than one If conditions
> inside unlang to test the conditions inside Ldap module. (If I am correct on
> my understanding)

Sorry, I don't understand what you mean here.

>
> And, also using the filter defined as above inside Ldap module some user of
> active directory which doesn't have extensionAttribute10 might get rejected.
> These users should get default acceptance; but should be granted to access
> VPN, or wifi if value is assigned to them on extensionAttribute10. If don't
> have attribute defined still get accepted as default user.

Well, you need to write your LDAP filter correctly. I suggest you read 
the LDAP filter syntax.

Another option, which you've almost figured out, is to pull the data 
from LDAP then do the decisions in unlang.

> Is there any easy way to check condition for the particular attribute of
> active directory? And I don't know where to check this, If I am already
> using If conditional statement for returning the Filter-Id inside Ldap
> module.
>
> In my understanding; people use to check this type of condition for the
> users that are defined in "users" file as;
>
> bob         User-Password == "testing", Connection-Type := "VPN"
>
> But I am not sure how to check like this eventhough If I define in
> ldap.attrmap as:
>
> checkItem       Connection-Type                    extensionAttribute10

Ok, several steps:

  1. Define your attribute in /etc/raddb/dictionary e.g.

ATTRIBUTE	My-Extension10	3010	string

  2. Define the LDAP -> RADIUS mapping in ldap.attrmap

checkItem	My-Extension10	extensionAttribute10

  3. Run the LDAP module, then compare the attribute. Note - because 
you've mapped the item to check/control lists, you can't use a "users" 
file - you must use unlang, like so:

authorize {
   ...
   ldap
   if (My-Extension10 == VPN) {
     ..
   }
}

...or more likely:

authorize {
   ..
   ldap
   if (Client-Shortname =~ /^VPN/) {
     if (My-Extension10 == VPN) {
       # permit
     }
     else {
       reject
     }
   }
   ...
}

HTH

More information about the Freeradius-Users mailing list