Active Directory + LDAP + groups for dynamic VLAN assignment
Matthew Ceroni
matthewceroni at gmail.com
Thu Jan 10 01:51:22 CET 2013
Hi:
I am using FreeRadius version 2.1.12 on CentOS6.
I am authenticating against Active Directory (that works). And authorizing
against LDAP (that works as well).
I am trying to return attributes, used for VLAN assignment, based on the
usersDN.
In my /etc/raddb/sites-enabled/default (and inner-tunnel) I have the
following
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
if (control:Ldap-UserDn =~ /OU=QA/) {
update reply {
Tunnel-Type:1 := 13
Tunnel-Medium-Type:1 := 6
Tunnel-Private-Group-Id:1 := 7
}
}
elsif (control:Ldap-UserDn =~ /OU=IT/) {
update reply {
Tunnel-Type:1 := 13
Tunnel-Medium-Type:1 := 6
Tunnel-Private-Group-Id:1 := 2
}
}
else {
update reply {
Tunnel-Type:1 := 13
Tunnel-Medium-Type:1 := 6
Tunnel-Private-Group-Id:1 := 21
}
}
In the authorize section. That works, when authorize is done it queries
LDAP successfully.
Looking through the radius debug I see the IF statements processing:
rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0,
length=122
User-Name = "mceroni"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000c016d6365726f6e69
Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mceroni", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "mceroni", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for mceroni
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> mceroni
[ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(samAccountName=mceroni)
[ldap] expand: ou=Clairmail OU,dc=clairmail,dc=local -> ou=Clairmail
OU,dc=clairmail,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to cmad01.clairmail.local:389, authentication 0
[ldap] bind as svnadmin at clairmail.local/iBis93sLit+ to
cmad01.clairmail.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with
filter (samAccountName=mceroni)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user mceroni authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (control:Ldap-UserDn =~ /OU=QA/)
? Evaluating (control:Ldap-UserDn =~ /OU=QA/) -> FALSE
++? if (control:Ldap-UserDn =~ /OU=QA/) -> FALSE
++? elsif (control:Ldap-UserDn =~ /OU=IT/)
? Evaluating (control:Ldap-UserDn =~ /OU=IT/) -> TRUE
++? elsif (control:Ldap-UserDn =~ /OU=IT/) -> TRUE
++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...}
+++[reply] returns ok
And it appears to set the attributes:
+[pap] returns noop
++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/)
expand: %{request:User-Name} -> mceroni
? Evaluating ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) ->
FALSE
++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) -> FALSE
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 48400
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = "2"
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2a1689d42a17904c9b87561fac99b7b3
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=1,
length=250
User-Name = "mceroni"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0201007a198000000070160301006b01000067030150ee101279602ec4eddc8d6cfc926da85eee0e034a2c20ea6abd4fd75e1ea55500003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000
State = 0x2a1689d42a17904c9b87561fac99b7b3
Message-Authenticator = 0x0a3e365c6cd7a8ae795def8cb962360e
But in the final response those attributes are not there.
Sending Access-Accept of id 9 to 127.0.0.1 port 48400
MS-MPPE-Recv-Key =
0xf318d3dd21910be1544fd848af03baebe4f23ae85b786100b02b967d4cc1761e
MS-MPPE-Send-Key =
0xa01a409bf3f54388c69613c576e657605022285909917ddbee9e52e776c3b0e1
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "mceroni"
Any help would be appreciated.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130109/f5b90999/attachment.html>
More information about the Freeradius-Users
mailing list